do not allow to change system user passwords

[pve-access-control.git] / PVE / API2 / AccessControl.pm

diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm
index 24699d215822658e51d672829545a7e87da4553d..0ef31fa2068a70c0349fd7d1222dea96505f0367 100644 (file)
--- a/PVE/API2/AccessControl.pm
+++ b/PVE/API2/AccessControl.pm
@@ -3,6 +3,7 @@ package PVE::API2::AccessControl;
 use strict;
 use warnings;
 
+use PVE::Exception qw(raise raise_perm_exc);
 use PVE::SafeSyslog;
 use PVE::RPCEnvironment;
 use PVE::Cluster qw(cfs_read_file);
@@ -47,6 +48,9 @@ __PACKAGE__->register_method ({
     path => '', 
     method => 'GET',
     description => "Directory index.",
+    permissions => { 
+       user => 'all',
+    },
     parameters => {
        additionalProperties => 0,
        properties => {},
@@ -77,6 +81,7 @@ __PACKAGE__->register_method ({
        }
 
        push @$res, { subdir => 'ticket' };
+       push @$res, { subdir => 'password' };
 
        return $res;
     }});
@@ -130,7 +135,10 @@ __PACKAGE__->register_method ({
     name => 'create_ticket', 
     path => 'ticket', 
     method => 'POST',
-    permissions => { user => 'world' },
+    permissions => { 
+       description => "You need to pass valid credientials.",
+       user => 'world' 
+    },
     protected => 1, # else we can't access shadow files
     description => "Create or verify authentication ticket.",
     parameters => {
@@ -204,4 +212,64 @@ __PACKAGE__->register_method ({
        return $res;
     }});
 
+__PACKAGE__->register_method ({
+    name => 'change_passsword', 
+    path => 'password', 
+    method => 'PUT',
+    permissions => { 
+       description => "Each user is allowed to change his own password. A user can change the password of another user if he has 'Realm.AllocateUser' (on the realm of user <userid>) and 'User.Modify' permission on /access/groups/<group> on a group where user <userid> is member of.",
+       check => [ 'or', 
+                  ['userid-param', 'self'],
+                  [ 'and',
+                    [ 'userid-param', 'Realm.AllocateUser'],
+                    [ 'userid-group', ['User.Modify']]
+                  ]
+           ],
+    },
+    protected => 1, # else we can't access shadow files
+    description => "Change user password.",
+    parameters => {
+       additionalProperties => 0,
+       properties => {
+           userid => get_standard_option('userid'),
+           password => { 
+               description => "The new password.",
+               type => 'string',
+               minLength => 5, 
+               maxLength => 64,
+           },
+       }
+    },
+    returns => { type => "null" },
+    code => sub {
+       my ($param) = @_;
+
+       my $rpcenv = PVE::RPCEnvironment::get();
+       my $authuser = $rpcenv->get_user();
+
+       my ($userid, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
+
+       $rpcenv->check_user_exist($userid);
+
+       if ($authuser eq 'root@pam') {
+           # OK - root can change anything
+       } else {
+           if ($authuser eq $userid) {
+               $rpcenv->check_user_enabled($userid);
+               # OK - each user can change its own password
+           } else {
+               # only root may change root password
+               raise_perm_exc() if $userid eq 'root@pam';
+               # do not allow to change system user passwords
+               raise_perm_exc() if $realm eq 'pam';
+           }
+       }
+
+       PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password});
+
+       PVE::Cluster::log_msg('info', 'root@pam', "changed password for user '$userid'");
+
+       return undef;
+    }});
+
 1;