5
0
mirror of git://git.proxmox.com/git/pve-access-control.git synced 2025-01-05 09:17:53 +03:00

api: ACL update: fix handling of Permissions.Modify

With the PVE 8.0 major release, the scope of
non-"Permissions.Modify"-based ACL update privileges were reduced (so
that users with for example, VM.Allocate on a VM could only delegate
their own privileges, but not arbitrary other ones). that additional
logic had a wrong guard and was accidentally triggered for calls where
the user had the "Permissions.Modify" privilege on the modified ACL
path, but without propagation set.

A user with "Permissions.Modify" on a path should be able to set
arbitrary ACLs for that path, even without propagation.

Reported on the forum: https://forum.proxmox.com/threads/151032/

Fixes: 46bfd59 ("acls: restrict less-privileged ACL modifications")
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2024-07-11 13:44:07 +02:00 committed by Thomas Lamprecht
parent 2c74a9abd5
commit 7d05a239d2

View File

@ -166,7 +166,8 @@ __PACKAGE__->register_method ({
die "role '$role' does not exist\n" die "role '$role' does not exist\n"
if !$cfg->{roles}->{$role}; if !$cfg->{roles}->{$role};
if (!$auth_user_privs->{'Permissions.Modify'}) { # permissions() returns set privs as key, and propagate bit as value!
if (!defined($auth_user_privs->{'Permissions.Modify'})) {
# 'perm-modify' allows /vms/* with VM.Allocate and similar restricted use cases # 'perm-modify' allows /vms/* with VM.Allocate and similar restricted use cases
# filter those to only allow handing out a subset of currently active privs # filter those to only allow handing out a subset of currently active privs
my $role_privs = $cfg->{roles}->{$role}; my $role_privs = $cfg->{roles}->{$role};