api: ACL update: fix handling of Permissions.Modify

With the PVE 8.0 major release, the scope of non-"Permissions.Modify"-based ACL update privileges were reduced (so that users with for example, VM.Allocate on a VM could only delegate their own privileges, but not arbitrary other ones). that additional logic had a wrong guard and was accidentally triggered for calls where the user had the "Permissions.Modify" privilege on the modified ACL path, but without propagation set. A user with "Permissions.Modify" on a path should be able to set arbitrary ACLs for that path, even without propagation. Reported on the forum: https://forum.proxmox.com/threads/151032/ Fixes: 46bfd59 ("acls: restrict less-privileged ACL modifications") Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2025-01-03 01:17:55 +03:00 · 2024-07-11 13:44:07 +02:00 · 2024-07-11 13:44:07 +02:00 · 7d05a239d2
commit 7d05a239d2
parent 2c74a9abd5
1 changed files with 2 additions and 1 deletions
--- a/src/PVE/API2/ACL.pm
+++ b/src/PVE/API2/ACL.pm
@ -166,7 +166,8 @@ __PACKAGE__->register_method ({
 		    die "role '$role' does not exist\n"
 			if !$cfg->{roles}->{$role};

-		    if (!$auth_user_privs->{'Permissions.Modify'}) {
+		    # permissions() returns set privs as key, and propagate bit as value!
+		    if (!defined($auth_user_privs->{'Permissions.Modify'})) {
 			# 'perm-modify' allows /vms/* with VM.Allocate and similar restricted use cases
 			# filter those to only allow handing out a subset of currently active privs
 		        my $role_privs = $cfg->{roles}->{$role};