cached user info: check_privs: print privilege path in error message
As else this is really user unfriendly, and it not printing it has no advantage. If one doesn't wants to leak resource existence they just need to *always* check permissions before checking if the requested resource exists, if that's not done one can leak information also without getting the path returned (as the system will either print "resource doesn't exists" or "no permissions" respectively) Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
parent
37e53b4c07
commit
3cfc56f5c2
@ -89,7 +89,9 @@ impl CachedUserInfo {
|
||||
(user_privs & required_privs) == required_privs
|
||||
};
|
||||
if !allowed {
|
||||
bail!("no permissions");
|
||||
// printing the path doesn't leaks any information as long as we
|
||||
// always check privilege before resource existence
|
||||
bail!("no permissions on '/{}'", path.join("/"));
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user