do not allow user names including slash

[pve-access-control.git] / PVE / AccessControl.pm

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index e860db1e1a41a156bb83e9eea46319aaf4fb111d..6943ed4a95feb9ea46501e0b3e9a45b0cafc9a85 100644 (file)
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -156,14 +156,15 @@ sub verify_ticket {
 
        my $rsa_pub = get_pubkey();
        if ($rsa_pub->verify($plain, decode_base64($sig))) {
-           if ($plain =~ m/^PVE:(([A-Za-z0-9\.\-_]+)(\@([A-Za-z0-9\.\-_]+))?):([A-Z0-9]{8})$/) {
+           if ($plain =~ m/^PVE:(\S+):([A-Z0-9]{8})$/) {
                my $username = $1;
-               my $timestamp = $5;
+               my $timestamp = $2;
                my $ttime = hex($timestamp);
 
                my $age = time() - $ttime;
 
-               if (($age > -300) && ($age < $ticket_lifetime)) {
+               if (verify_username($username, 1) &&
+                   ($age > -300) && ($age < $ticket_lifetime)) {
                    return wantarray ? ($username, $age) : $username;
                }
            }
@@ -463,14 +464,14 @@ sub encrypt_pw {
 sub store_pam_password {
     my ($userid, $password) = @_;
 
-    my $cmd = ['/usr/sbin/usermod'];
+    my $cmd = ['usermod'];
 
     my $epw = encrypt_pw($password);
     push @$cmd, '-p', $epw;
 
     push @$cmd, $userid;
 
-    run_command($cmd);
+    run_command($cmd, errmsg => 'change password failed');
 }
 
 sub domain_set_password {
@@ -549,7 +550,6 @@ my $privgroups = {
        root => [],
        admin => [           
            'VM.Config.Disk', 
-           'VM.Config.CDROM', # change CDROM media
            'VM.Config.CPU', 
            'VM.Config.Memory', 
            'VM.Config.Network', 
@@ -560,6 +560,7 @@ my $privgroups = {
            'VM.Monitor', 
        ],
        user => [
+           'VM.Config.CDROM', # change CDROM media
            'VM.Console', 
            'VM.Backup',
            'VM.PowerMgmt',
@@ -731,9 +732,12 @@ sub verify_username {
        return undef;
     }
 
-    # we only allow a limited set of characters (colon is not allowed,
-    # because we store usernames in colon separated lists)!
-    if ($username =~ m/^([^\s:]+)\@(${realm_regex})$/) {
+    # we only allow a limited set of characters
+    # colon is not allowed, because we store usernames in 
+    # colon separated lists)!
+    # slash is not allowed because it is used as pve API delimiter
+    # also see "man useradd" 
+    if ($username =~ m!^([^\s:/]+)\@(${realm_regex})$!) {
        return wantarray ? ($username, $1, $2) : $username;
     }