fix bug #151: corretly parse username inside ticket

[pve-access-control.git] / PVE / AccessControl.pm

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 8305117c500b2dca9fe5f5345d4078154c89c99a..2b7974dd6245fd44d92a9d3902c0f9cfe07c4bea 100644 (file)
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -156,14 +156,15 @@ sub verify_ticket {
 
        my $rsa_pub = get_pubkey();
        if ($rsa_pub->verify($plain, decode_base64($sig))) {
-           if ($plain =~ m/^PVE:(([A-Za-z0-9\.\-_]+)(\@([A-Za-z0-9\.\-_]+))?):([A-Z0-9]{8})$/) {
+           if ($plain =~ m/^PVE:(\S+):([A-Z0-9]{8})$/) {
                my $username = $1;
-               my $timestamp = $5;
+               my $timestamp = $2;
                my $ttime = hex($timestamp);
 
                my $age = time() - $ttime;
 
-               if (($age > -300) && ($age < $ticket_lifetime)) {
+               if (verify_username($username, 1) &&
+                   ($age > -300) && ($age < $ticket_lifetime)) {
                    return wantarray ? ($username, $age) : $username;
                }
            }
@@ -463,14 +464,14 @@ sub encrypt_pw {
 sub store_pam_password {
     my ($userid, $password) = @_;
 
-    my $cmd = ['/usr/sbin/usermod'];
+    my $cmd = ['usermod'];
 
     my $epw = encrypt_pw($password);
     push @$cmd, '-p', $epw;
 
     push @$cmd, $userid;
 
-    run_command($cmd);
+    run_command($cmd, errmsg => 'change password failed');
 }
 
 sub domain_set_password {
@@ -549,7 +550,6 @@ my $privgroups = {
        root => [],
        admin => [           
            'VM.Config.Disk', 
-           'VM.Config.CDROM', # change CDROM media
            'VM.Config.CPU', 
            'VM.Config.Memory', 
            'VM.Config.Network', 
@@ -560,7 +560,9 @@ my $privgroups = {
            'VM.Monitor', 
        ],
        user => [
+           'VM.Config.CDROM', # change CDROM media
            'VM.Console', 
+           'VM.Backup',
            'VM.PowerMgmt',
        ],
        audit => [ 
@@ -662,7 +664,7 @@ my $valid_attributes = {
     ldap => {
        server1 => '[\w\d]+(.[\w\d]+)*',
        server2 => '[\w\d]+(.[\w\d]+)*',
-       base_dn => '\w+=[\w\s]+(,\s*\w+=[\w\s]+)*',
+       base_dn => '\w+=[^,]+(,\s*\w+=[^,]+)*',
        user_attr => '\S{2,}',
        secure => '',
        port => '\d+',
@@ -704,6 +706,7 @@ sub normalize_path {
 
 my $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
 
+PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
 sub pve_verify_realm {
     my ($realm, $noerr) = @_;
  
@@ -747,7 +750,7 @@ PVE::JSONSchema::register_standard_option('userid', {
 
 PVE::JSONSchema::register_standard_option('realm', {
     description => "Authentication domain ID",
-    type => 'string', format => 'pve-configid',
+    type => 'string', format => 'pve-realm',
     maxLength => 32,
 });
 
@@ -937,7 +940,7 @@ sub parse_user_config {
                    }
 
                    foreach my $ug (split_list($uglist)) {
-                       if ($ug =~ m/^@(\w+)$/) {
+                       if ($ug =~ m/^@(\S+)$/) {
                            my $group = $1;
                            if ($cfg->{groups}->{$group}) { # group exists 
                                $cfg->{acl}->{$path}->{groups}->{$group}->{$role} = $propagate;