tyler/proxmox-backup
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

access: restrict password changes on @pam realm to superuser

Browse Source 
for behavior consistency with `update_user`

Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
This commit is contained in:
Oguz Bektas
2021-01-13 17:26:15 +01:00
committed by Fabian Grünbichler
parent 5aa1019010
commit 6bbe49aa14
1 changed files with 6 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/api2/access.rs
View File

@ -245,7 +245,7 @@ fn create_ticket(
}, },
}, },
access: { access: {
description: "Anybody is allowed to change there own password. In addition, users with 'Permissions:Modify' privilege may change any password.", description: "Everybody is allowed to change their own password. In addition, users with 'Permissions:Modify' privilege may change any password on @pbs realm.",
permission: &Permission::Anybody, permission: &Permission::Anybody,
}, },
)] )]
@ -271,17 +271,16 @@ fn change_password(
let mut allowed = userid == *current_user; let mut allowed = userid == *current_user;
if current_user == "root@pam" {
allowed = true;
}
if !allowed { if !allowed {
let user_info = CachedUserInfo::new()?; let user_info = CachedUserInfo::new()?;
let privs = user_info.lookup_privs(&current_auth, &[]); let privs = user_info.lookup_privs(&current_auth, &[]);
if (privs & PRIV_PERMISSIONS_MODIFY) != 0 { if user_info.is_superuser(&current_auth) {
allowed = true; allowed = true;
} }
} if (privs & PRIV_PERMISSIONS_MODIFY) != 0 && userid.realm() != "pam" {
allowed = true;
}
};
if !allowed { if !allowed {
bail!("you are not authorized to change the password."); bail!("you are not authorized to change the password.");