parse_user_cfg: correctly parse group names in ACLs

usernames are allowed to start with '@', so adding a user '@test@pve'
and adding it to an ACL should work, instead of ignoring that part of
the ACL entry.

So use verify_groupname to additionally enforce that the group name we
extracted does not include an additional @, as then it cannot be a
group.

note: there is no potential for user and group to be confused, since a
username must end with '@REALM', and a group reference in an ACL can
only contain one '@' (as first character).

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 44f4a01ad241ee423e27c282c934563dfa567ac5..6ea0b85b81c9d97df7b0ff4f7f53b8705672342d 100644 (file)
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -974,8 +974,9 @@ sub parse_user_config {
                    }
 
                    foreach my $ug (split_list($uglist)) {
                    }
 
                    foreach my $ug (split_list($uglist)) {

-                       if ($ug =~ m/^@(\S+)$/) {
-                           my $group = $1;
+                       my ($group) = $ug =~ m/^@(\S+)$/;
+
+                       if ($group && verify_groupname($group, 1)) {

                            if ($cfg->{groups}->{$group}) { # group exists
                                $cfg->{acl}->{$path}->{groups}->{$group}->{$role} = $propagate;
                            } else {
                            if ($cfg->{groups}->{$group}) { # group exists
                                $cfg->{acl}->{$path}->{groups}->{$group}->{$role} = $propagate;
                            } else {