]>
git.proxmox.com Git - pmg-api.git/blob - PMG/AccessControl.pm
1 package PMG
::AccessControl
;
8 use PVE
::JSONSchema
qw(get_standard_option);
19 $path = '/' if !$path;
21 $path = "/$path" if $path !~ m
|^/|;
23 return undef if $path !~ m
|^[[:alnum
:]\
.\
-\_\
/]+$|;
28 # password should be utf8 encoded
29 # Note: some plugins delay/sleep if auth fails
30 sub authenticate_user
{
31 my ($username, $password, $otp) = @_;
33 die "no username specified\n" if !$username;
37 ($username, $ruid, $realm) = PMG
::Utils
::verify_username
($username);
39 if ($realm eq 'pam') {
40 die "invalid pam user (only root allowed)\n" if $ruid ne 'root';
41 authenticate_pam_user
($ruid, $password);
45 if ($realm eq 'pmg') {
46 my $usercfg = PMG
::UserConfig-
>new();
47 $usercfg->authenticate_user($username, $password);
51 die "no such realm '$realm'\n";
54 sub set_user_password
{
55 my ($username, $password) = @_;
59 ($username, $ruid, $realm) = PMG
::Utils
::verify_username
($username);
61 if ($realm eq 'pam') {
62 die "invalid pam user (only root allowed)\n" if $ruid ne 'root';
64 my $cmd = ['usermod'];
66 my $epw = PMG
::Utils
::encrypt_pw
($password);
68 push @$cmd, '-p', $epw, $ruid;
70 run_command
($cmd, errmsg
=> "change password for '$ruid' failed");
72 } elsif ($realm eq 'pmg') {
73 PMG
::UserConfig-
>set_user_password($username, $password);
75 die "no such realm '$realm'\n";
79 # test if user exists and is enabled
80 sub check_user_enabled
{
81 my ($username, $noerr) = @_;
85 ($username, $ruid, $realm) = PMG
::Utils
::verify_username
($username, 1);
87 if ($realm && $ruid) {
88 if ($realm eq 'pam') {
89 return 1 if $ruid eq 'root';
90 } elsif ($realm eq 'pmg') {
91 my $usercfg = PMG
::UserConfig-
>new();
92 my $data = $usercfg->lookup_user_data($username, $noerr);
93 return 1 if $data && $data->{enable
};
97 die "user '$username' is disabled\n" if !$noerr;
102 sub authenticate_pam_user
{
103 my ($username, $password) = @_;
105 # user need to be able to read /etc/passwd /etc/shadow
107 my $pamh = Authen
::PAM-
>new('common-auth', $username, sub {
110 my $msg_type = shift;
112 push @res, (0, $password);
119 my $err = $pamh->pam_strerror($pamh);
120 die "Error during PAM init: $err";
125 if (($res = $pamh->pam_authenticate(0)) != PAM_SUCCESS
) {
126 my $err = $pamh->pam_strerror($res);
127 die "auth failed: $err";
130 if (($res = $pamh->pam_acct_mgmt(0)) != PAM_SUCCESS
) {
131 my $err = $pamh->pam_strerror($res);
132 die "auth failed: $err";
135 $pamh = 0; # call destructor