access: restrict password changes on @pam realm to superuser

for behavior consistency with `update_user`

Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
This commit is contained in:
Oguz Bektas 2021-01-13 17:26:15 +01:00 committed by Fabian Grünbichler
parent 5aa1019010
commit 6bbe49aa14

View File

@ -245,7 +245,7 @@ fn create_ticket(
},
},
access: {
description: "Anybody is allowed to change there own password. In addition, users with 'Permissions:Modify' privilege may change any password.",
description: "Everybody is allowed to change their own password. In addition, users with 'Permissions:Modify' privilege may change any password on @pbs realm.",
permission: &Permission::Anybody,
},
)]
@ -271,17 +271,16 @@ fn change_password(
let mut allowed = userid == *current_user;
if current_user == "root@pam" {
allowed = true;
}
if !allowed {
let user_info = CachedUserInfo::new()?;
let privs = user_info.lookup_privs(&current_auth, &[]);
if (privs & PRIV_PERMISSIONS_MODIFY) != 0 {
if user_info.is_superuser(&current_auth) {
allowed = true;
}
}
if (privs & PRIV_PERMISSIONS_MODIFY) != 0 && userid.realm() != "pam" {
allowed = true;
}
};
if !allowed {
bail!("you are not authorized to change the password.");