api: ACL update: fix handling of Permissions.Modify

With the PVE 8.0 major release, the scope of
non-"Permissions.Modify"-based ACL update privileges were reduced (so
that users with for example, VM.Allocate on a VM could only delegate
their own privileges, but not arbitrary other ones). that additional
logic had a wrong guard and was accidentally triggered for calls where
the user had the "Permissions.Modify" privilege on the modified ACL
path, but without propagation set.

A user with "Permissions.Modify" on a path should be able to set
arbitrary ACLs for that path, even without propagation.

Reported on the forum: https://forum.proxmox.com/threads/151032/

Fixes: 46bfd59 ("acls: restrict less-privileged ACL modifications")
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

diff --git a/src/PVE/API2/ACL.pm b/src/PVE/API2/ACL.pm
index 93adb78248c6de1f076f03581838d93a87983eb2..2a4d4ffe6af8f8e9aa5d6110c0b4386e1c37124b 100644 (file)
--- a/src/PVE/API2/ACL.pm
+++ b/src/PVE/API2/ACL.pm
@@ -166,7 +166,8 @@ __PACKAGE__->register_method ({
                    die "role '$role' does not exist\n"
                        if !$cfg->{roles}->{$role};
 
-                   if (!$auth_user_privs->{'Permissions.Modify'}) {
+                   # permissions() returns set privs as key, and propagate bit as value!
+                   if (!defined($auth_user_privs->{'Permissions.Modify'})) {
                        # 'perm-modify' allows /vms/* with VM.Allocate and similar restricted use cases
                        # filter those to only allow handing out a subset of currently active privs
                        my $role_privs = $cfg->{roles}->{$role};