[pve-devel] [PATCH pve-access-control] fix #6528: tfa: update user config on removal of TFA
Shan Shaji
s.shaji at proxmox.com
Tue Jul 29 13:06:44 CEST 2025
superseeded by v2: https://lore.proxmox.com/pve-devel/20250729110229.118959-1-s.shaji@proxmox.com/T/#u
On Tue Jul 29, 2025 at 12:40 PM CEST, Fabian Grünbichler wrote:
> > So the order will the lock TFA -> lock user cfg -> update user cfg ->
> > update tfa cfg.
>
> yes, unless you find another code path that does the inverse (lock user
> first, then lock TFA while the lock is held) - in that case we need to
> settle on one of the two variants ;)
I think it's not possible to do the other way around as when i checked
the implementaion of `lock_tfa_config` in PVE::AccessControl if the
user config is locked it's not possible to acquire a tfa lock. Also
there is a comment that mentions about locking of the files are only
allowed together in one order.
More information about the pve-devel
mailing list