sub verify_ticket {
my ($ticket, $noerr) = @_;
- if ($ticket && $ticket =~ m/^(\S+)::([^:\s]+)$/) {
+ if ($ticket && $ticket =~ m/^(PVE:\S+)::([^:\s]+)$/) {
my $plain = $1;
my $sig = $2;
my $rsa_pub = get_pubkey();
if ($rsa_pub->verify($plain, decode_base64($sig))) {
- if ($plain =~ m/^PVE:(([A-Za-z0-9\.\-_]+)(\@([A-Za-z0-9\.\-_]+))?):([A-Z0-9]{8})$/) {
+ if ($plain =~ m/^PVE:(\S+):([A-Z0-9]{8})$/) {
my $username = $1;
- my $timestamp = $5;
+ my $timestamp = $2;
my $ttime = hex($timestamp);
my $age = time() - $ttime;
- if (($age > -300) && ($age < $ticket_lifetime)) {
+ if (verify_username($username, 1) &&
+ ($age > -300) && ($age < $ticket_lifetime)) {
return wantarray ? ($username, $age) : $username;
}
}
return undef;
}
+# VNC tickets
+# - they do not contain the username in plain text
+# - they are restricted to a specific resource path (example: '/vms/100')
+sub assemble_vnc_ticket {
+ my ($username, $path) = @_;
+
+ my $rsa_priv = get_privkey();
+
+ my $timestamp = sprintf("%08X", time());
+
+ my $plain = "PVEVNC:$timestamp";
+
+ $path = normalize_path($path);
+
+ my $full = "$plain:$username:$path";
+
+ my $ticket = $plain . "::" . encode_base64($rsa_priv->sign($full), '');
+
+ return $ticket;
+}
+
+sub verify_vnc_ticket {
+ my ($ticket, $username, $path, $noerr) = @_;
+
+ if ($ticket && $ticket =~ m/^(PVEVNC:\S+)::([^:\s]+)$/) {
+ my $plain = $1;
+ my $sig = $2;
+ my $full = "$plain:$username:$path";
+
+ my $rsa_pub = get_pubkey();
+ # Note: sign only match if $username and $path is correct
+ if ($rsa_pub->verify($full, decode_base64($sig))) {
+ if ($plain =~ m/^PVEVNC:([A-Z0-9]{8})$/) {
+ my $ttime = hex($1);
+
+ my $age = time() - $ttime;
+
+ if (($age > -20) && ($age < 40)) {
+ return 1;
+ }
+ }
+ }
+ }
+
+ die "permission denied - invalid vnc ticket\n" if !$noerr;
+
+ return undef;
+}
+
+
sub authenticate_user_shadow {
my ($userid, $password) = @_;
}
}
-sub user_enabled {
- my ($usercfg, $username) = @_;
+sub check_user_exist {
+ my ($usercfg, $username, $noerr) = @_;
- $username = verify_username($username, 1);
+ $username = verify_username($username, $noerr);
return undef if !$username;
- return 1 if $usercfg && $usercfg->{users}->{$username} &&
- $usercfg->{users}->{$username}->{enable};
+ return $usercfg->{users}->{$username} if $usercfg && $usercfg->{users}->{$username};
+
+ die "no such user ('$username')\n" if !$noerr;
+
+ return undef;
+}
+
+sub check_user_enabled {
+ my ($usercfg, $username, $noerr) = @_;
+
+ my $data = check_user_exist($usercfg, $username, $noerr);
+ return undef if !$data;
+
+ return 1 if $data->{enable};
return 1 if $username eq 'root@pam'; # root is always enabled
- return 0;
+ die "user '$username' is disabled\n" if !$noerr;
+
+ return undef;
}
# password should be utf8 encoded
my $usercfg = cfs_read_file('user.cfg');
- if (!user_enabled($usercfg, $username)) {
+ eval { check_user_enabled($usercfg, $username); };
+ if (my $err = $@) {
sleep(2);
- die "no such user ('$username')\n"
+ die $err;
}
my $ctime = time();
sub store_pam_password {
my ($userid, $password) = @_;
- my $cmd = ['/usr/sbin/usermod'];
+ my $cmd = ['usermod'];
my $epw = encrypt_pw($password);
push @$cmd, '-p', $epw;
push @$cmd, $userid;
- run_command($cmd);
+ run_command($cmd, errmsg => 'change password failed');
}
sub domain_set_password {
delete ($usercfg->{acl}->{$acl}->{users}->{$username})
if $usercfg->{acl}->{$acl}->{users}->{$username};
}
-
}
+
sub delete_group_acl {
my ($group, $usercfg) = @_;
delete ($usercfg->{acl}->{$acl}->{groups}->{$group})
if $usercfg->{acl}->{$acl}->{groups}->{$group};
}
+}
+sub delete_pool_acl {
+
+ my ($pool, $usercfg) = @_;
+
+ my $path = "/pool/$pool";
+
+ foreach my $aclpath (keys %{$usercfg->{acl}}) {
+ delete ($usercfg->{acl}->{$aclpath})
+ if $usercfg->{acl}->{$aclpath} eq 'path';
+ }
}
# we automatically create some predefined roles by splitting privs
VM => {
root => [],
admin => [
- 'VM.Modify',
+ 'VM.Config.Disk',
+ 'VM.Config.CPU',
+ 'VM.Config.Memory',
+ 'VM.Config.Network',
+ 'VM.Config.HWType',
+ 'VM.Config.Options', # covers all other things
'VM.Allocate',
'VM.Migrate',
- 'Permissions.Modify',
+ 'VM.Monitor',
],
user => [
+ 'VM.Config.CDROM', # change CDROM media
'VM.Console',
+ 'VM.Backup',
'VM.PowerMgmt',
],
audit => [
- 'VM.Audit'
+ 'VM.Audit',
],
},
Sys => {
root => [
'Sys.PowerMgmt',
- 'Sys.Modify', # edit/change node settings
+ 'Sys.Modify', # edit/change node settings
],
admin => [
+ 'Permissions.Modify',
'Sys.Console',
'Sys.Syslog',
],
],
},
Datastore => {
- root => [
+ root => [],
+ admin => [
'Datastore.Allocate',
- 'Permissions.Modify',
+ 'Datastore.AllocateTemplate',
],
- admin => [],
user => [
'Datastore.AllocateSpace',
],
'Datastore.Audit',
],
},
+ User => {
+ root => [
+ 'Realm.Allocate',
+ ],
+ admin => [
+ 'User.Modify',
+ 'Group.Allocate', # edit/change group settings
+ 'Realm.AllocateUser',
+ ],
+ user => [],
+ audit => [],
+ },
+ Pool => {
+ root => [],
+ admin => [
+ 'Pool.Allocate', # create/delete pools
+ ],
+ user => [],
+ audit => [],
+ },
};
my $valid_privs = {};
ldap => {
server1 => '[\w\d]+(.[\w\d]+)*',
server2 => '[\w\d]+(.[\w\d]+)*',
- base_dn => '\w+=[\w\s]+(,\s*\w+=[\w\s]+)*',
+ base_dn => '\w+=[^,]+(,\s*\w+=[^,]+)*',
user_attr => '\S{2,}',
secure => '',
port => '\d+',
sub normalize_path {
my $path = shift;
- $path =~ s|/+|/|;
+ $path =~ s|/+|/|g;
$path =~ s|/$||;
$path = '/' if !$path;
+ $path = "/$path" if $path !~ m|^/|;
+
return undef if $path !~ m|^[[:alnum:]\-\_\/]+$|;
return $path;
my $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
+PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
sub pve_verify_realm {
my ($realm, $noerr) = @_;
PVE::JSONSchema::register_standard_option('realm', {
description => "Authentication domain ID",
- type => 'string', format => 'pve-configid',
+ type => 'string', format => 'pve-realm',
maxLength => 32,
});
return $rolename;
}
+PVE::JSONSchema::register_format('pve-poolid', \&verify_groupname);
+sub verify_poolname {
+ my ($poolname, $noerr) = @_;
+
+ if ($poolname !~ m/^[A-Za-z0-9\.\-_]+$/) {
+
+ die "pool name '$poolname' contains invalid characters\n" if !$noerr;
+
+ return undef;
+ }
+
+ return $poolname;
+}
+
PVE::JSONSchema::register_format('pve-priv', \&verify_privname);
sub verify_privname {
my ($priv, $noerr) = @_;
}
foreach my $ug (split_list($uglist)) {
- if ($ug =~ m/^@(\w+)$/) {
+ if ($ug =~ m/^@(\S+)$/) {
my $group = $1;
if ($cfg->{groups}->{$group}) { # group exists
$cfg->{acl}->{$path}->{groups}->{$group}->{$role} = $propagate;
} else {
warn "user config - ignore invalid path in acl '$pathtxt'\n";
}
+ } elsif ($et eq 'pool') {
+ my ($pool, $comment, $vmlist, $storelist) = @data;
+
+ if (!verify_poolname($pool, 1)) {
+ warn "user config - ignore pool '$pool' - invalid characters in pool name\n";
+ next;
+ }
+
+ # make sure to add the pool (even if there are no members)
+ $cfg->{pools}->{$pool} = { vms => {}, storage => {} } if !$cfg->{pools}->{$pool};
+
+ $cfg->{pools}->{$pool}->{comment} = PVE::Tools::decode_text($comment) if $comment;
+
+ foreach my $vmid (split_list($vmlist)) {
+ if ($vmid !~ m/^\d+$/) {
+ warn "user config - ignore invalid vmid '$vmid' in pool '$pool'\n";
+ next;
+ }
+ $vmid = int($vmid);
+
+ if ($cfg->{vms}->{$vmid}) {
+ warn "user config - ignore duplicate vmid '$vmid' in pool '$pool'\n";
+ next;
+ }
+
+ $cfg->{pools}->{$pool}->{vms}->{$vmid} = 1;
+
+ # record vmid ==> pool relation
+ $cfg->{vms}->{$vmid} = $pool;
+ }
+
+ foreach my $storeid (split_list($storelist)) {
+ if ($storeid !~ m/^[a-z][a-z0-9\-\_\.]*[a-z0-9]$/i) {
+ warn "user config - ignore invalid storage '$storeid' in pool '$pool'\n";
+ next;
+ }
+ $cfg->{pools}->{$pool}->{storage}->{$storeid} = 1;
+ }
} else {
warn "user config - ignore config line: $line\n";
}
$wrote_default = 1;
} elsif (defined($formats->{$k})) {
if (!$formats->{$k}) {
- $data .= "\t$k\n";
+ $data .= "\t$k\n" if $v;
} elsif ($v =~ m/^$formats->{$k}$/) {
$v = PVE::Tools::encode_text($v) if $k eq 'comment';
$data .= "\t$k $v\n";
warn "ignoring domain '$realm' - missing user attribute\n";
} elsif (($entry->{type} eq "ldap") && !$entry->{base_dn}) {
warn "ignoring domain '$realm' - missing base_dn attribute\n";
+ } elsif (($entry->{type} eq "ad") && !$entry->{domain}) {
+ warn "ignoring domain '$realm' - missing domain attribute\n";
} else {
$cfg->{$realm} = $entry;
}
my $data = '';
foreach my $user (keys %{$cfg->{users}}) {
- next if $user eq 'root@pam';
-
my $d = $cfg->{users}->{$user};
my $firstname = $d->{firstname} ? PVE::Tools::encode_text($d->{firstname}) : '';
my $lastname = $d->{lastname} ? PVE::Tools::encode_text($d->{lastname}) : '';
$data .= "\n";
+ foreach my $pool (keys %{$cfg->{pools}}) {
+ my $d = $cfg->{pools}->{$pool};
+ my $vmlist = join (',', keys %{$d->{vms}});
+ my $storelist = join (',', keys %{$d->{storage}});
+ my $comment = $d->{comment} ? PVE::Tools::encode_text($d->{comment}) : '';
+ $data .= "pool:$pool:$comment:$vmlist:$storelist:\n";
+ }
+
+ $data .= "\n";
+
foreach my $role (keys %{$cfg->{roles}}) {
next if $special_roles->{$role};
sub roles {
my ($cfg, $user, $path) = @_;
+ # NOTE: we do not consider pools here.
+ # You need to use $rpcenv->roles() instead if you want that.
+
return 'Administrator' if $user eq 'root@pam'; # root can do anything
my $perm = {};
$perm = $new; # overwrite previous settings
next;
}
-
- #die "what herea?";
}
- my $res = {};
- if (!defined ($perm->{NoAccess})) {
- $res = $perm;
- }
+ return ('NoAccess') if defined ($perm->{NoAccess});
+ #return () if defined ($perm->{NoAccess});
#print "permission $user $path = " . Dumper ($perm);
- my @ra = keys %$res;
+ my @ra = keys %$perm;
#print "roles $user $path = " . join (',', @ra) . "\n";