acls: restrict less-privileged ACL modifications

there are currently three possibilities to modify ACLs without the
'Permissions.Modify' privilege in PVE::RPCEnvironment::check_perm_modify:

    if ($path =~ m|^/storage/.+$|) {
	push @$testperms, 'Datastore.Allocate';
    } elsif ($path =~ m|^/vms/.+$|) {
	push @$testperms, 'VM.Allocate';
    } elsif ($path =~ m|^/pool/.+$|) {
	push @$testperms, 'Pool.Allocate';
    }

lock those down by only allowing the currently authenticated user to hand out a
subset of their own privileges, never more.

for example, this still allows a PVEVMAdmin to create ACLs for other
users/tokens with PVEVMUser (on '/vm/XXX'), but not with Administrator or
PVEPermAdmin.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

diff --git a/src/PVE/API2/ACL.pm b/src/PVE/API2/ACL.pm
index f0c9efbd7b2b6681cac075215da4e359fc7fa439..93adb78248c6de1f076f03581838d93a87983eb2 100644 (file)
--- a/src/PVE/API2/ACL.pm
+++ b/src/PVE/API2/ACL.pm
@@ -148,9 +148,12 @@ __PACKAGE__->register_method ({
 
        PVE::AccessControl::lock_user_config(
            sub {
-
                my $cfg = cfs_read_file("user.cfg");
 
+               my $rpcenv = PVE::RPCEnvironment::get();
+               my $authuser = $rpcenv->get_user();
+               my $auth_user_privs = $rpcenv->permissions($authuser, $path);
+
                my $propagate = 1;
 
                if (defined($param->{propagate})) {
@@ -163,6 +166,25 @@ __PACKAGE__->register_method ({
                    die "role '$role' does not exist\n"
                        if !$cfg->{roles}->{$role};
 
+                   if (!$auth_user_privs->{'Permissions.Modify'}) {
+                       # 'perm-modify' allows /vms/* with VM.Allocate and similar restricted use cases
+                       # filter those to only allow handing out a subset of currently active privs
+                       my $role_privs = $cfg->{roles}->{$role};
+                       my $verb = $param->{delete} ? 'remove' : 'add';
+                       foreach my $priv (keys $role_privs->%*) {
+                           raise_param_exc({ role => "Cannot $verb role '$role' - requires 'Permissions.Modify' or superset of privileges." })
+                               if !defined($auth_user_privs->{$priv});
+
+                           # propagation is only potentially problematic for adding ACLs, not removing..
+                           raise_param_exc({ role => "Cannot $verb role '$role' with propagation - requires 'Permissions.Modify' or propagated superset of privileges." })
+                               if $propagate && $auth_user_privs->{$priv} != $propagate && !$param->{delete};
+                       }
+
+                       # NoAccess has no privs, needs an explicit check
+                       raise_param_exc({ role => "Cannot $verb role '$role' - requires 'Permissions.Modify'"})
+                           if $role eq 'NoAccess';
+                   }
+
                    foreach my $group (split_list($param->{groups})) {
 
                        die "group '$group' does not exist\n"