X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=debian%2Fchangelog;h=a1efa14e9f0f0a2facbe1f585e7539379afc220f;hp=ec4bc490d35f5691d31d34df2677d1b3e09c08bd;hb=HEAD;hpb=de8c5e6cebeeda13ced4c23bd108040c3c68438d diff --git a/debian/changelog b/debian/changelog index ec4bc49..cb0e71c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,10 +1,481 @@ +libpve-access-control (8.1.4) bookworm; urgency=medium + + * fix #5335: sort ACL entries in user.cfg to make it easier to track changes + + -- Proxmox Support Team Mon, 22 Apr 2024 13:45:22 +0200 + +libpve-access-control (8.1.3) bookworm; urgency=medium + + * user: password change: require confirmation-password parameter so that + anybody gaining local or physical access to a device where a user is + logged in on a Proxmox VE web-interface cannot give them more permanent + access or deny the actual user accessing their account by changing the + password. Note that such an attack scenario means that the attacker + already has high privileges and can already control the resource + completely through another attack. + Such initial attacks (like stealing an unlocked device) are almost always + are outside of the control of our projects. Still, hardening the API a bit + by requiring a confirmation of the original password is to cheap to + implement to not do so. + + * jobs: realm sync: fix scheduled LDAP syncs not applying all attributes, + like comments, correctly + + -- Proxmox Support Team Fri, 22 Mar 2024 14:14:36 +0100 + +libpve-access-control (8.1.2) bookworm; urgency=medium + + * add Sys.AccessNetwork privilege + + -- Proxmox Support Team Wed, 28 Feb 2024 15:42:12 +0100 + +libpve-access-control (8.1.1) bookworm; urgency=medium + + * LDAP sync: fix-up assembling valid attribute set + + -- Proxmox Support Team Thu, 08 Feb 2024 19:03:26 +0100 + +libpve-access-control (8.1.0) bookworm; urgency=medium + + * api: user: limit the legacy user-keys option to the depreacated values + that could be set in the first limited TFA system, like e.g., 'x!yubico' + or base32 encoded secrets. + + * oidc: enforce generic URI regex for the ACR value to align with OIDC + specifications and with Proxmox Backup Server, which was recently changed + to actually be less strict. + + * LDAP sync: improve validation of synced attributes, closely limit the + mapped attributes names and their values to avoid glitches through odd + LDIF entries. + + * api: user: limit maximum length for first & last name to 1024 characters, + email to 254 characters (the maximum actually useable in practice) and + comment properties to 2048 characters. This avoid that a few single users + bloat the user.cfg to much by mistake, reducing the total amount of users + and ACLs that can be set up. Note that only users with User.Modify and + realm syncs (setup by admins) can change these in the first place, so this + is mostly to avoid mishaps and just to be sure. + + -- Proxmox Support Team Thu, 08 Feb 2024 17:50:59 +0100 + +libpve-access-control (8.0.7) bookworm; urgency=medium + + * fix #1148: allow up to three levels of pool nesting + + * pools: record parent/subpool information + + -- Proxmox Support Team Mon, 20 Nov 2023 12:24:13 +0100 + +libpve-access-control (8.0.6) bookworm; urgency=medium + + * perms: fix wrong /pools entry in default set of ACL paths + + * acl: add missing SDN ACL paths to allowed list + + -- Proxmox Support Team Fri, 17 Nov 2023 08:27:11 +0100 + +libpve-access-control (8.0.5) bookworm; urgency=medium + + * fix an issue where setting ldap passwords would refuse to work unless + at least one additional property was changed as well + + * add 'check-connection' parameter to create and update endpoints for ldap + based realms + + -- Proxmox Support Team Fri, 11 Aug 2023 13:35:23 +0200 + +libpve-access-control (8.0.4) bookworm; urgency=medium + + * Lookup of second factors is no longer tied to the 'keys' field in the + user.cfg. This fixes an issue where certain LDAP/AD sync job settings + could disable user-configured 2nd factors. + + * Existing-but-disabled TFA factors can no longer circumvent realm-mandated + TFA. + + -- Proxmox Support Team Thu, 20 Jul 2023 10:59:21 +0200 + +libpve-access-control (8.0.3) bookworm; urgency=medium + + * pveum: list tfa: recovery keys have no descriptions + + * pveum: list tfa: sort by user ID + + * drop assert_new_tfa_config_available for Proxmox VE 8, as the new format + is understood since pve-manager 7.0-15, and users must upgrade to Proxmox + VE 7.4 before upgrading to Proxmox VE 8 in addition to that. + + -- Proxmox Support Team Wed, 21 Jun 2023 19:45:29 +0200 + +libpve-access-control (8.0.2) bookworm; urgency=medium + + * api: users: sort groups to avoid "flapping" text + + * api: tfa: don't block tokens from viewing and list TFA entries, both are + safe to do for anybody with enough permissions to view a user. + + * api: tfa: add missing links for child-routes + + -- Proxmox Support Team Wed, 21 Jun 2023 18:13:54 +0200 + +libpve-access-control (8.0.1) bookworm; urgency=medium + + * tfa: cope with native versions in cluster version check + + -- Proxmox Support Team Fri, 09 Jun 2023 16:12:01 +0200 + +libpve-access-control (8.0.0) bookworm; urgency=medium + + * api: roles: forbid creating new roles starting with "PVE" namespace + + -- Proxmox Support Team Fri, 09 Jun 2023 10:14:28 +0200 + +libpve-access-control (8.0.0~3) bookworm; urgency=medium + + * rpcenv: api permission heuristic: query Sys.Modify for root ACL-path + + * access control: add /sdn/zones/// ACL object path + + * add helper for checking bridge access + + * add new SDN.Use privilege in PVESDNUser role, allowing one to specify + which user are allowed to use a bridge (or vnet, if SDN is installed) + + * add privileges and paths for cluster resource mapping + + -- Proxmox Support Team Wed, 07 Jun 2023 19:06:54 +0200 + +libpve-access-control (8.0.0~2) bookworm; urgency=medium + + * api: user index: only include existing tfa lock flags + + * add realm-sync plugin for jobs and CRUD api for realm-sync-jobs + + * roles: only include Permissions.Modify in Administrator built-in role. + As, depending on the ACL object path, this privilege might allow one to + change their own permissions, which was making the distinction between + Admin and PVEAdmin irrelevant. + + * acls: restrict less-privileged ACL modifications. Through allocate + permissions in pools, storages and virtual guests one can do some ACL + modifications without having the Permissions.Modify privilege, lock those + better down to ensure that one can only hand out only the subset of their + own privileges, never more. Note that this is mostly future proofing, as + the ACL object paths one could give out more permissions where already + limiting the scope. + + -- Proxmox Support Team Wed, 07 Jun 2023 11:34:30 +0200 + +libpve-access-control (8.0.0~1) bookworm; urgency=medium + + * bump pve-rs dependency to 0.8.3 + + * drop old verify_tfa api call (POST /access/tfa) + + * drop support for old login API: + - 'new-format' is now considured to be 1 and ignored by the API + + * pam auth: set PAM_RHOST to allow pam configs to log/restrict/... by remote + address + + * cli: add 'pveum tfa list' + + * cli: add 'pveum tfa unlock' + + * enable lockout of TFA: + - too many TOTP attempts will lock out of TOTP + - using a recovery key will unlock TOTP + - too many TFA attempts will lock a user's TFA auth for an hour + + * api: add /access/users//unlock-tfa to unlock a user's TFA + authentication if it was locked by too many wrong 2nd factor login attempts + + * api: /access/tfa and /access/users now include the tfa lockout status + + -- Proxmox Support Team Mon, 05 Jun 2023 14:52:29 +0200 + +libpve-access-control (7.99.0) bookworm; urgency=medium + + * initial re-build for Proxmox VE 8.x series + + * switch to native versioning + + -- Proxmox Support Team Sun, 21 May 2023 10:34:19 +0200 + +libpve-access-control (7.4-3) bullseye; urgency=medium + + * use new 2nd factor verification from pve-rs + + -- Proxmox Support Team Tue, 16 May 2023 13:31:28 +0200 + +libpve-access-control (7.4-2) bullseye; urgency=medium + + * fix #4609: fix regression where a valid DN in the ldap/ad realm config + wasn't accepted anymore + + -- Proxmox Support Team Thu, 23 Mar 2023 15:44:21 +0100 + +libpve-access-control (7.4-1) bullseye; urgency=medium + + * realm sync: refactor scope/remove-vanished into a standard option + + * ldap: Allow quoted values for DN attribute values + + -- Proxmox Support Team Mon, 20 Mar 2023 17:16:11 +0100 + +libpve-access-control (7.3-2) bullseye; urgency=medium + + * fix #4518: dramatically improve ACL computation performance + + * userid format: clarify that this is the full name@realm in description + + -- Proxmox Support Team Mon, 06 Mar 2023 11:40:11 +0100 + +libpve-access-control (7.3-1) bullseye; urgency=medium + + * realm: sync: allow explicit 'none' for 'remove-vanished' option + + -- Proxmox Support Team Fri, 16 Dec 2022 13:11:04 +0100 + +libpve-access-control (7.2-5) bullseye; urgency=medium + + * api: realm sync: avoid separate log line for "remove-vanished" opt + + * auth ldap/ad: compare group member dn case-insensitively + + * two factor auth: only lock tfa config for recovery keys + + * privs: add Sys.Incoming for guarding cross-cluster data streams like guest + migrations and storage migrations + + -- Proxmox Support Team Thu, 17 Nov 2022 13:09:17 +0100 + +libpve-access-control (7.2-4) bullseye; urgency=medium + + * fix #4074: increase API OpenID code size limit to 2048 + + * auth key: protect against rare chance of a double rotation in clusters, + leaving the potential that some set of nodes have the earlier key cached, + that then got rotated out due to the race, resulting in a possible other + set of nodes having the newer key cached. This is a split view of the auth + key and may resulting in spurious failures if API requests are made to a + different node than the ticket was generated on. + In addition to that, the "keep validity of old tickets if signed in the + last two hours before rotation" logic was disabled too in such a case, + making such tickets invalid too early. + Note that both are cases where Proxmox VE was too strict, so while this + had no security implications it can be a nuisance, especially for + environments that use the API through an automated or scripted way + + -- Proxmox Support Team Thu, 14 Jul 2022 08:36:51 +0200 + +libpve-access-control (7.2-3) bullseye; urgency=medium + + * api: token: use userid-group as API perm check to avoid being overly + strict through a misguided use of user id for non-root users. + + * perm check: forbid undefined/empty ACL path for future proofing of against + above issue + + -- Proxmox Support Team Mon, 20 Jun 2022 15:51:14 +0200 + +libpve-access-control (7.2-2) bullseye; urgency=medium + + * permissions: merge propagation flag for multiple roles on a path that + share privilege in a deterministic way, to avoid that it gets lost + depending on perl's random sort, which would result in returing less + privileges than an auth-id actually had. + + * permissions: avoid that token and user privilege intersection is to strict + for user permissions that have propagation disabled. + + -- Proxmox Support Team Fri, 03 Jun 2022 14:02:30 +0200 + +libpve-access-control (7.2-1) bullseye; urgency=medium + + * user check: fix expiration/enable order + + -- Proxmox Support Team Tue, 31 May 2022 13:43:37 +0200 + +libpve-access-control (7.1-8) bullseye; urgency=medium + + * fix #3668: realm-sync: replace 'full' & 'purge' with 'remove- + vanished' + + -- Proxmox Support Team Thu, 28 Apr 2022 17:02:46 +0200 + +libpve-access-control (7.1-7) bullseye; urgency=medium + + * userid-group check: distinguish create and update + + * api: get user: declare token schema + + -- Proxmox Support Team Mon, 21 Mar 2022 16:15:23 +0100 + +libpve-access-control (7.1-6) bullseye; urgency=medium + + * fix #3768: warn on bad u2f or webauthn settings + + * tfa: when modifying others, verify the current user's password + + * tfa list: account for admin permissions + + * fix realm sync permissions + + * fix token permission display bug + + * include SDN permissions in permission tree + + -- Proxmox Support Team Fri, 21 Jan 2022 14:20:42 +0100 + +libpve-access-control (7.1-5) bullseye; urgency=medium + + * openid: fix username-claim fallback + + -- Proxmox Support Team Thu, 25 Nov 2021 07:57:38 +0100 + +libpve-access-control (7.1-4) bullseye; urgency=medium + + * set current origin in the webauthn config if no fixed origin was + configured, to support webauthn via subdomains + + -- Proxmox Support Team Mon, 22 Nov 2021 14:04:06 +0100 + +libpve-access-control (7.1-3) bullseye; urgency=medium + + * openid: allow arbitrary username-claims + + * openid: support configuring the prompt, scopes and ACR values + + -- Proxmox Support Team Fri, 19 Nov 2021 08:11:52 +0100 + +libpve-access-control (7.1-2) bullseye; urgency=medium + + * catch incompatible tfa entries with a nice error + + -- Proxmox Support Team Wed, 17 Nov 2021 13:44:45 +0100 + +libpve-access-control (7.1-1) bullseye; urgency=medium + + * tfa: map HTTP 404 error in get_tfa_entry correctly + + -- Proxmox Support Team Mon, 15 Nov 2021 15:33:22 +0100 + +libpve-access-control (7.0-7) bullseye; urgency=medium + + * fix #3513: pass configured proxy to OpenID + + * use rust based parser for TFA config + + * use PBS-like auth api call flow, + + * merge old user.cfg keys to tfa config when adding entries + + * implement version checks for new tfa config writer to ensure all + cluster nodes are ready to avoid login issues + + * tickets: add tunnel ticket + + -- Proxmox Support Team Thu, 11 Nov 2021 18:17:49 +0100 + +libpve-access-control (7.0-6) bullseye; urgency=medium + + * fix regression in user deletion when realm does not enforce TFA + + -- Proxmox Support Team Thu, 21 Oct 2021 12:28:52 +0200 + +libpve-access-control (7.0-5) bullseye; urgency=medium + + * acl: check path: add /sdn/vnets/* path + + * fix #2302: allow deletion of users when realm enforces TFA + + * api: delete user: disable user first to avoid surprise on error during the + various cleanup action required for user deletion (e.g., TFA, ACL, group) + + -- Proxmox Support Team Mon, 27 Sep 2021 15:50:47 +0200 + +libpve-access-control (7.0-4) bullseye; urgency=medium + + * realm: add OpenID configuration + + * api: implement OpenID related endpoints + + * implement opt-in OpenID autocreate user feature + + * api: user: add 'realm-type' to user list response + + -- Proxmox Support Team Fri, 02 Jul 2021 13:45:46 +0200 + +libpve-access-control (7.0-3) bullseye; urgency=medium + + * api: acl: add missing `/access/realm/`, `/access/group/` and + `/sdn/zones/` to allowed ACL paths + + -- Proxmox Support Team Mon, 21 Jun 2021 10:31:19 +0200 + +libpve-access-control (7.0-2) bullseye; urgency=medium + + * fix #3402: add Pool.Audit privilege - custom roles containing + Pool.Allocate must be updated to include the new privilege. + + -- Proxmox Support Team Tue, 1 Jun 2021 11:28:38 +0200 + +libpve-access-control (7.0-1) bullseye; urgency=medium + + * re-build for Debian 11 Bullseye based releases + + -- Proxmox Support Team Sun, 09 May 2021 18:18:23 +0200 + +libpve-access-control (6.4-1) pve; urgency=medium + + * fix #1670: change PAM service name to project specific name + + * fix #1500: permission path syntax check for access control + + * pveum: add resource pool CLI commands + + -- Proxmox Support Team Sat, 24 Apr 2021 19:48:21 +0200 + +libpve-access-control (6.1-3) pve; urgency=medium + + * partially fix #2825: authkey: rotate if it was generated in the + future + + * fix #2947: add an option to LDAP or AD realm to switch user lookup to case + insensitive + + -- Proxmox Support Team Tue, 29 Sep 2020 08:54:13 +0200 + +libpve-access-control (6.1-2) pve; urgency=medium + + * also check SDN permission path when computing coarse permissions heuristic + for UIs + + * add SDN Permissions.Modify + + * add VM.Config.Cloudinit + + -- Proxmox Support Team Tue, 30 Jun 2020 13:06:56 +0200 + +libpve-access-control (6.1-1) pve; urgency=medium + + * pveum: add tfa delete subcommand for deleting user-TFA + + * LDAP: don't complain about missing credentials on realm removal + + * LDAP: skip anonymous bind when client certificate and key is configured + + -- Proxmox Support Team Fri, 08 May 2020 17:47:41 +0200 + libpve-access-control (6.0-7) pve; urgency=medium * fix #2575: die when trying to edit built-in roles * add realm sub commands to pveum CLI tool - * api: domains: add user group sync API enpoint + * api: domains: add user group sync API endpoint * allow one to sync and import users and groups from LDAP/AD based realms @@ -89,7 +560,7 @@ libpve-access-control (5.1-10) unstable; urgency=medium libpve-access-control (5.1-9) unstable; urgency=medium * store the tfa type in user.cfg allowing to get it without proxying the call - to a higher priviledged daemon. + to a higher privileged daemon. * tfa: realm required TFA should lock out users without TFA configured, as it was done before Proxmox VE 5.4 @@ -475,7 +946,7 @@ libpve-access-control (3.0-4) unstable; urgency=low libpve-access-control (3.0-3) unstable; urgency=low - * Add new role PVETemplateUser (and VM.Clone priviledge) + * Add new role PVETemplateUser (and VM.Clone privilege) -- Proxmox Support Team Mon, 29 Apr 2013 11:42:15 +0200 @@ -542,7 +1013,7 @@ libpve-access-control (1.0-19) unstable; urgency=low libpve-access-control (1.0-18) unstable; urgency=low - * fix bug #151: corretly parse username inside ticket + * fix bug #151: correctly parse username inside ticket * fix bug #152: allow user to change his own password @@ -637,7 +1108,7 @@ libpve-access-control (1.0-4) unstable; urgency=low libpve-access-control (1.0-3) unstable; urgency=low * add support for delayed parameter parsing - We need that to disable - file upload for normal API request (avoid DOS attacs) + file upload for normal API request (avoid DOS attacks) -- Proxmox Support Team Fri, 02 Dec 2011 09:56:10 +0100