X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAccessControl.pm;h=2b7974dd6245fd44d92a9d3902c0f9cfe07c4bea;hp=8305117c500b2dca9fe5f5345d4078154c89c99a;hb=533219a1222ef54fc8f027f133ffdc3ab60d051c;hpb=373cb3839470e2d5783c7778473013a45ad53ca9 diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm index 8305117..2b7974d 100644 --- a/PVE/AccessControl.pm +++ b/PVE/AccessControl.pm @@ -156,14 +156,15 @@ sub verify_ticket { my $rsa_pub = get_pubkey(); if ($rsa_pub->verify($plain, decode_base64($sig))) { - if ($plain =~ m/^PVE:(([A-Za-z0-9\.\-_]+)(\@([A-Za-z0-9\.\-_]+))?):([A-Z0-9]{8})$/) { + if ($plain =~ m/^PVE:(\S+):([A-Z0-9]{8})$/) { my $username = $1; - my $timestamp = $5; + my $timestamp = $2; my $ttime = hex($timestamp); my $age = time() - $ttime; - if (($age > -300) && ($age < $ticket_lifetime)) { + if (verify_username($username, 1) && + ($age > -300) && ($age < $ticket_lifetime)) { return wantarray ? ($username, $age) : $username; } } @@ -463,14 +464,14 @@ sub encrypt_pw { sub store_pam_password { my ($userid, $password) = @_; - my $cmd = ['/usr/sbin/usermod']; + my $cmd = ['usermod']; my $epw = encrypt_pw($password); push @$cmd, '-p', $epw; push @$cmd, $userid; - run_command($cmd); + run_command($cmd, errmsg => 'change password failed'); } sub domain_set_password { @@ -549,7 +550,6 @@ my $privgroups = { root => [], admin => [ 'VM.Config.Disk', - 'VM.Config.CDROM', # change CDROM media 'VM.Config.CPU', 'VM.Config.Memory', 'VM.Config.Network', @@ -560,7 +560,9 @@ my $privgroups = { 'VM.Monitor', ], user => [ + 'VM.Config.CDROM', # change CDROM media 'VM.Console', + 'VM.Backup', 'VM.PowerMgmt', ], audit => [ @@ -662,7 +664,7 @@ my $valid_attributes = { ldap => { server1 => '[\w\d]+(.[\w\d]+)*', server2 => '[\w\d]+(.[\w\d]+)*', - base_dn => '\w+=[\w\s]+(,\s*\w+=[\w\s]+)*', + base_dn => '\w+=[^,]+(,\s*\w+=[^,]+)*', user_attr => '\S{2,}', secure => '', port => '\d+', @@ -704,6 +706,7 @@ sub normalize_path { my $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/; +PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm); sub pve_verify_realm { my ($realm, $noerr) = @_; @@ -747,7 +750,7 @@ PVE::JSONSchema::register_standard_option('userid', { PVE::JSONSchema::register_standard_option('realm', { description => "Authentication domain ID", - type => 'string', format => 'pve-configid', + type => 'string', format => 'pve-realm', maxLength => 32, }); @@ -937,7 +940,7 @@ sub parse_user_config { } foreach my $ug (split_list($uglist)) { - if ($ug =~ m/^@(\w+)$/) { + if ($ug =~ m/^@(\S+)$/) { my $group = $1; if ($cfg->{groups}->{$group}) { # group exists $cfg->{acl}->{$path}->{groups}->{$group}->{$role} = $propagate;