mirror of
git://git.proxmox.com/git/pve-access-control.git
synced 2025-01-03 01:17:55 +03:00
5bcf553e3a
Add a new 'confirmation-password' parameter to the change-password endpoint and require non-root users to confirm their passwords. Doing so avoids that an attacker that has direct access to a computer where a user is logged in to the PVE interface can change the password of said user and thus either prolong their possibility to attack, and/or create a denial of service situation, where the original user cannot login into the PVE host using their old credentials. Note that this might sound worse than it is, as for this attack to work the attacker needs either: - physical access to an unlocked computer that is currently logged in to a PVE host - having taken over such a computer already through some unrelated vulnerability As these required pre-conditions are pretty big implications, which allow (temporary) access to all of the resources (including PVE ones) that the user can control, we see this as slight improvement that won't hurt, might protect one in some specific cases that is simply too cheap not to do. For now we avoid additional confirmation through a second factor, as that is a much higher complexity without that much gain, and some forms like (unauthenticated) button press on a WebAuthn token or the TOTP code would be easy to circumvent in the physical access case and in the local access case one might be able to MITM themselves too. Reported-by: Wouter Arts <security@wth-security.nl> Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> [ TL: extend commit message ] Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> |
||
---|---|---|
debian | ||
src | ||
.gitignore | ||
Makefile | ||
README | ||
user.cfg.ex |
User Management and Access Control ================================== Proxmox VE implements an easy but flexible way to manage users. A powerful Access Control algorithm is used to grant permissions to individual users or group of users. Best Practices: Use groups in ACLs (not individual users). User Authentication =================== Proxmox VE can use different authentication servers. Those servers are listed in '/etc/pve/priv/domain.cfg', indexed by a unique ID (called 'authentication domain' or 'realm'). User names need to be unique. We create unique names by adding the 'realm' to the user ID: <userid>@<realm> File format 'domain.cfg' ----example domains.cfg ------------------ # an active directory server AD: mycompany server1 10.10.10.1 server2 10.10.10.2 ... # an LDAP server LDAP: example.com server1 10.10.10.2 .... ------------------------------------------ There are 2 special authentication domains name 'pve' and 'pam': * pve: stores passwords to "/etc/pve/priv/shadow.cfg" (SHA256 crypt); * pam: use unix 'pam' Proposed user database fields: ============================== users: login_name: email address (user@domain) enable: 1 = TRUE, 0 = FALSE expire: <integer> (account expiration date) domid: reference to authentication domain firstname: user first name lastname: user last name email: user's email address comment: arbitrary comment special user root: The root user has full administrative privileges group: group_name: the name of the group user_list: list of login names comment: a more verbose description pool: pool_name: the name of the pool comment: a more verbose description vm_list: list of VMs associated with the pool storage_list: list of storage IDs associated with the pool privileges: defines rights required to execute actions or read information. VM.Allocate: create/remove new VM to server inventory VM.Migrate: migrate VM to alternate server on cluster VM.PowerMgmt: power management (start, stop, reset, shutdown, ...) VM.Console: console access to VM VM.Monitor: access to VM monitor (kvm) VM.Backup: backup/restore VMs VM.Clone: Clone VM or VM template VM.Audit: view VM config VM.Config.XXX: modify VM config VM.Config.Disk: add/modify/delete Disks VM.Config.CDROM: eject/change CDROM VM.Config.CPU: modify CPU settings VM.Config.Memory: modify Memory settings VM.Config.Network: add/modify/delete Network devices VM.Config.HWType: modify emulated HW type VM.Config.Options: modify any other VM configuration Pool.Allocate: create/remove/modify a pool. Pool.Audit: view a pool Datastore.Allocate: create/remove/modify a data store. Datastore.AllocateSpace: allocate space on a datastore Datastore.AllocateTemplate: allocate/upload templates and iso images Datastore.Audit: view/browse a datastore Permissions.Modify: modify access permissions Sys.PowerMgmt: Node power management (start, stop, reset, shutdown, ...) Sys.Console: console access to Node Sys.Syslog: view Syslog Sys.Audit: view node status/config We may need to refine those in future - the following privs are just examples: VM.Create: create new VM to server inventory VM.Remove: remove VM from inventory VM.AddNewDisk: add new disk to VM VM.AddExistingDisk: add an existing disk to VM VM.DiskModify: modify disk space for associated VM VM.UseRawDevice: associate a raw device with VM VM.PowerOn: power on VM VM.PowerOff: power off VM VM.CpuModify: modify number of CPUs associated with VM VM.CpuCyclesModify: modify CPU cycles for VM VM.NetworkAdd: add network device to VM VM.NetworkConfigure: configure network device associated with VM VM.NetworkRemove: remove network device from VM Network.AssignNetwork: assign system networks role: defines a sets of privileges predefined roles: administrator: full administrative privileges read_only: read only no_access: no privileges We store the following attribute for roles: role_name: the name of the group description: a more verbose description privileges: list of privileges permission: Assign roles to users or groups. ACL and Objects: ================ An access control list (ACL) is a list of permissions attached to an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object. Object: A Virtual machine, Network (bridge, venet), Hosts, Host Memory, Storage, ... We can identify our objects by an unique (file system like) path, which also defines a tree like hierarchy relation. ACL can be inherited. Permissions are inherited if the propagate flag is set on the parent. Child permissions always overwrite inherited permissions. User permission takes precedence over all group permissions. If multiple group permission apply the resulting role is the union of all those group privileges. There is at most one object permission per user or group We store the following attributes for ACLs: propagate: propagate permissions down in the hierarchy path: path to uniquely identify the object user_or_group: ID of user or group (group ID start with @) role: list of role IDs. User Database: To keep it simple, we suggest to use a single text file, which is replicated to all cluster nodes. Also, we can store ACLs inside this file. Here is a short example how such file could look like: -----User/Group/Role Database example-------- user:joe@example.com:$1$nd91DtDy$mJtzWJAN2AAABKij0JgMy1/:Joe Average:Just a comment: user:max@example.com:$1$nd91DtDy$LANSNJAN2AAABKidhfgMy3/:Max Mustermann:Another comment: user:edward@example.com:$1$nd91DtDy$LANSNAAAAAAABKidhfgMy3/:Edward Example:Example VM Manager: group:admin:Internal Administrator Group:root: group:audit:Read only accounts used for audit:: group:customers:Our Customers:joe@example.com,max@example.com: role:vm_user:Virtual Machine User:VM.ConfigureCD,VM.Console: role:vm_manager:Virtual Machine Manager:VM.ConfigureCD,VM.Console,VM.AddNewDisk,VM.PowerOn,VM.PowerOff: role:vm_operator:Virtual Machine Operator:VM.Create,VM.ConfigureCD,VM.Console,VM.AddNewDisk,VM.PowerOn,VM.PowerOff: role:ds_consumer:DataStore Consumer:Datastore.AllocateSpace: role:nw_consumer:Network Consumer:Network.AssignNetwork: # group admin can do anything acl:0:/:@admin:Administrator: # group audit can view anything acl:1:/:@audit:read_only: # user max can manage all qemu/kvm machines acl:1:/vm/qemu:max@example.com:vm_manager: # user joe can use openvz vm 230 acl:1:/vm/openvz/230:joe@example.com:vm_user: # user Edward can create openvz VMs using vmbr0 and store0 acl:1:/vm/openvz:edward@example.com:vm_operator: acl:1:/network/vmbr0:edward@example.com:ds_consumer: acl:1:/storage/store0:edward@example.com:nw_consumer: --------------------------------------------- Basic model RBAC -> http://en.wikipedia.org/wiki/Role-based_access_control # Subject: A person or automated agent subject:joe@example.com: subject:max@example.com: # Role: Job function or title which defines an authority level role:vm_user:Virtual Machine User: role:admin:Administrator: # Subject Assignment: Subject -> Role(s) SA:vm_user:joe@example.com,max@example.com: SA:admin:joe@example.com: # Permissions: An approval of a mode of access to a resource # Permission Assignment: Role -> Permissions (set of allowed operation) perm:vm_user:VM.ConfigureCD,VM.Console: perm:admin:VM.ConfigureCD,VM.Console,VM.Create: --------------------------------------------- We can merge 'perm' into the 'role' table, because it is a 1 -> 1 mapping subject:joe@example.com: subject:max@example.com: role:vm_user:Virtual Machine User:VM.ConfigureCD,VM.Console: role:admin:Administrator:VM.ConfigureCD,VM.Console,VM.Create: SA:vm_user:joe@example.com,max@example.com: SA:admin:joe@example.com: ----------------------------------------------- We can have different subject assignment for different objects. subject:joe@example.com: subject:max@example.com: role:vm_user:Virtual Machine User:VM.ConfigureCD,VM.Console: role:admin:Administrator:VM.ConfigureCD,VM.Console,VM.Create: # joe is 'admin' for openvz VMs, but 'vm_user' for qemu VMs SA:/vm/openvz:admin:joe@example.com: SA:/vm/qemu:vm_user:joe@example.com,max@example.com: ----------------------------------------------- Let us use more convenient names. Use 'user' instead of 'subject'. Use 'acl' instead of 'SA'. user:joe@example.com: user:max@example.com: role:vm_user:Virtual Machine User:VM.ConfigureCD,VM.Console: role:admin:Administrator:VM.ConfigureCD,VM.Console,VM.Create: # joe is 'admin' for openvz VMs, but 'vm_user' for qemu VMs acl:/vm/openvz:admin:joe@example.com: acl:/vm/qemu:vm_user:joe@example.com,max@example.com: ----------------------------------------------- Finally introduce groups to group users. ACL can then use 'users' or 'groups'. user:joe@example.com: user:max@example.com: group:customers:Our Customers:joe@example.com,max@example.com: role:vm_user:Virtual Machine User:VM.ConfigureCD,VM.Console: role:admin:Administrator:VM.ConfigureCD,VM.Console,VM.Create: acl:/vm/openvz:admin:joe@example.com: acl:/vm/qemu:vm_user:@customers: -----------------------------------------------