[pve-devel] [PATCH v2 access-control 11/12] api: allow superusers to edit tfa and password settings

Oguz Bektas o.bektas at proxmox.com
Fri Mar 11 12:25:03 CET 2022 

Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
---
v1->v2:
* also adapt change_password
* didn't remove the comments in TFA.pm since it was still confusing without them

 src/PVE/API2/AccessControl.pm | 6 ++++++
 src/PVE/API2/TFA.pm           | 7 +++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index 5d78c6f..1b471f6 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -378,9 +378,15 @@ __PACKAGE__->register_method ({
 
 	$rpcenv->check_user_exist($userid);
 
+	# check for SU privs on user groups
+	my $is_superuser = $rpcenv->check($authuser, "/access/groups", ['SuperUser'], 1);
+
 	if ($authuser eq 'root at pam') {
 	    # OK - root can change anything
 	} else {
+	    if ($is_superuser && $userid ne 'root at pam') {
+		# OK - superusers can change any user's password except root at pam
+	    }
 	    if ($authuser eq $userid) {
 		$rpcenv->check_user_enabled($userid);
 		# OK - each user can change its own password
diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
index bee4dee..bab78ea 100644
--- a/src/PVE/API2/TFA.pm
+++ b/src/PVE/API2/TFA.pm
@@ -102,13 +102,16 @@ my $TFA_UPDATE_INFO_SCHEMA = {
 my sub root_permission_check : prototype($$$$) {
     my ($rpcenv, $authuser, $userid, $password) = @_;
 
+    # authuser = the user making the change
+    # userid = the user to be changed
     ($userid, undef, my $realm) = PVE::AccessControl::verify_username($userid);
     $rpcenv->check_user_exist($userid);
 
-    raise_perm_exc() if $userid eq 'root at pam' && $authuser ne 'root at pam';
+    my $is_superuser = $authuser eq 'root at pam' || $rpcenv->check($authuser, "/access/groups", ['SuperUser'], 1);
+    raise_perm_exc() if $userid eq 'root at pam' && !$is_superuser; # root at pam can be only edited by superusers
 
     # Regular users need to confirm their password to change TFA settings.
-    if ($authuser ne 'root at pam') {
+    if ($authuser ne 'root at pam') { # we still do password confirmation for superusers like the other users
 	raise_param_exc({ 'password' => 'password is required to modify TFA data' })
 	    if !defined($password);
 
-- 
2.30.2

More information about the pve-devel mailing list