[pve-devel] applied series: [PATCH access-control 0/3] fix two propagation related bugs
Thomas Lamprecht
t.lamprecht at proxmox.com
Fri Jun 3 14:03:54 CEST 2022
Am 03/06/2022 um 13:50 schrieb Fabian Grünbichler:
> these patches fix two related bugs:
> - the propagation flag used for priv dumping was set randomly if two
> roles with a common priv exist on a path, one with and one without
> propagation
> - user/token priv intersection only took user privs into account that
> had propagation set
>
> the first can affect the second one negatively (if the first bug causes
> the propagation flag to be dropped, the second one will drop the priv
> from the merged set of privileges for priv-separated tokens).
>
> in both cases there is no possibility to elevate privileges:
> - bug #1 sometimes marks privs as non-propagated that are, but only for
> display, not for checking purposes
> - bug #2 causes a token to have less privileges than it should, not more
>
> Fabian Grünbichler (3):
> permissions: properly merge propagation flag
> permissions: fix token/user priv intersection
> permissions: add some more comments
>
> src/PVE/RPCEnvironment.pm | 44 +++++++++++++++++++++++++++++++++++----
> src/test/perm-test8.pl | 2 +-
> src/test/test8.cfg | 2 ++
> 3 files changed, 43 insertions(+), 5 deletions(-)
>
applied series, thanks!
More information about the pve-devel
mailing list