X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAccessControl.pm;h=6943ed4a95feb9ea46501e0b3e9a45b0cafc9a85;hp=44813a7b04180a95753b85af1444930333bdd5c4;hb=3030a17643d9f303d1d1820e972f9ed9ce74fdd2;hpb=9b2172261e5b0088a608de124c8cfd53154aa6a7 diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm index 44813a7..6943ed4 100644 --- a/PVE/AccessControl.pm +++ b/PVE/AccessControl.pm @@ -156,14 +156,15 @@ sub verify_ticket { my $rsa_pub = get_pubkey(); if ($rsa_pub->verify($plain, decode_base64($sig))) { - if ($plain =~ m/^PVE:(([A-Za-z0-9\.\-_]+)(\@([A-Za-z0-9\.\-_]+))?):([A-Z0-9]{8})$/) { + if ($plain =~ m/^PVE:(\S+):([A-Z0-9]{8})$/) { my $username = $1; - my $timestamp = $5; + my $timestamp = $2; my $ttime = hex($timestamp); my $age = time() - $ttime; - if (($age > -300) && ($age < $ticket_lifetime)) { + if (verify_username($username, 1) && + ($age > -300) && ($age < $ticket_lifetime)) { return wantarray ? ($username, $age) : $username; } } @@ -463,14 +464,14 @@ sub encrypt_pw { sub store_pam_password { my ($userid, $password) = @_; - my $cmd = ['/usr/sbin/usermod']; + my $cmd = ['usermod']; my $epw = encrypt_pw($password); push @$cmd, '-p', $epw; push @$cmd, $userid; - run_command($cmd); + run_command($cmd, errmsg => 'change password failed'); } sub domain_set_password { @@ -549,7 +550,6 @@ my $privgroups = { root => [], admin => [ 'VM.Config.Disk', - 'VM.Config.CDROM', # change CDROM media 'VM.Config.CPU', 'VM.Config.Memory', 'VM.Config.Network', @@ -560,6 +560,7 @@ my $privgroups = { 'VM.Monitor', ], user => [ + 'VM.Config.CDROM', # change CDROM media 'VM.Console', 'VM.Backup', 'VM.PowerMgmt', @@ -663,7 +664,7 @@ my $valid_attributes = { ldap => { server1 => '[\w\d]+(.[\w\d]+)*', server2 => '[\w\d]+(.[\w\d]+)*', - base_dn => '\w+=[\w\s]+(,\s*\w+=[\w\s]+)*', + base_dn => '\w+=[^,]+(,\s*\w+=[^,]+)*', user_attr => '\S{2,}', secure => '', port => '\d+', @@ -705,6 +706,7 @@ sub normalize_path { my $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/; +PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm); sub pve_verify_realm { my ($realm, $noerr) = @_; @@ -730,9 +732,12 @@ sub verify_username { return undef; } - # we only allow a limited set of characters (colon is not allowed, - # because we store usernames in colon separated lists)! - if ($username =~ m/^([^\s:]+)\@(${realm_regex})$/) { + # we only allow a limited set of characters + # colon is not allowed, because we store usernames in + # colon separated lists)! + # slash is not allowed because it is used as pve API delimiter + # also see "man useradd" + if ($username =~ m!^([^\s:/]+)\@(${realm_regex})$!) { return wantarray ? ($username, $1, $2) : $username; } @@ -748,7 +753,7 @@ PVE::JSONSchema::register_standard_option('userid', { PVE::JSONSchema::register_standard_option('realm', { description => "Authentication domain ID", - type => 'string', format => 'pve-configid', + type => 'string', format => 'pve-realm', maxLength => 32, });