From d6828edc63bc1add3225e82720369168e0d4f3d6 Mon Sep 17 00:00:00 2001 From: Andrew Walker Date: Tue, 12 Dec 2023 09:47:52 -0800 Subject: [PATCH] Prevent locking out root / admin user (#12707) If builtin_administrators is removed from Local Administrators privilege then root and admin user will not be able to authenticate via middlware APIs. --- .../middlewared/plugins/account_/privilege.py | 13 ++++++++++++- src/middlewared/middlewared/utils/privilege.py | 5 +++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/src/middlewared/middlewared/plugins/account_/privilege.py b/src/middlewared/middlewared/plugins/account_/privilege.py index c50549cf95e0c..c87094994b070 100644 --- a/src/middlewared/middlewared/plugins/account_/privilege.py +++ b/src/middlewared/middlewared/plugins/account_/privilege.py @@ -4,7 +4,11 @@ from middlewared.schema import accepts, Bool, Dict, Int, List, Ref, SID, Str, Patch from middlewared.service import CallError, CRUDService, filter_list, private, ValidationErrors from middlewared.service_exception import MatchNotFound -from middlewared.utils.privilege import privilege_has_webui_access, privileges_group_mapping +from middlewared.utils.privilege import ( + LocalAdminGroups, + privilege_has_webui_access, + privileges_group_mapping +) import middlewared.sqlalchemy as sa @@ -125,6 +129,13 @@ async def do_update(self, id_, data): builtin_privilege = BuiltinPrivileges(new["builtin_name"]) if builtin_privilege == BuiltinPrivileges.LOCAL_ADMINISTRATOR: + if LocalAdminGroups.BUILTIN_ADMINISTRATORS not in new["local_groups"]: + verrors.add( + "privilege_update.local_groups", + f"The group {LocalAdminGroups.BUILTIN_ADMINISTRATORS.name.lower()} must be " + "among grantees of the \"Local Administrator\" privilege." + ) + if not await self.middleware.call("group.has_password_enabled_user", new["local_groups"]): verrors.add( "privilege_update.local_groups", diff --git a/src/middlewared/middlewared/utils/privilege.py b/src/middlewared/middlewared/utils/privilege.py index 5c243403b5ca4..f2de7b6e55088 100644 --- a/src/middlewared/middlewared/utils/privilege.py +++ b/src/middlewared/middlewared/utils/privilege.py @@ -1,6 +1,11 @@ +import enum from middlewared.role import ROLES +class LocalAdminGroups(enum.IntEnum): + BUILTIN_ADMINISTRATORS = 544 + + def privilege_has_webui_access(privilege: dict) -> bool: """ This method determines whether the specified privilege is sufficient