luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Fix HelpOperation on sudo-protected paths (#18568) 

* Fix HelpOperation on sudo-protected paths

Fixes #18566

* Add changelog
This commit is contained in:
Max Bowsher 2023-01-10 18:17:16 +00:00 committed by GitHub
parent e4685c10ef
commit 6d6a726f9d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/18568.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
core: Fix spurious `permission denied` for all HelpOperations on sudo-protected paths
```

4
vault/acl.go
View File

@ -719,7 +719,9 @@ func (c *Core) performPolicyChecks(ctx context.Context, acl *ACL, te *logical.To
if !ret.ACLResults.Allowed {
return ret
}
if !ret.RootPrivs && opts.RootPrivsRequired {
// Since HelpOperation was fast-pathed inside AllowOperation, RootPrivs will not have been populated in this
// case, so we need to special-case that here as well, or we'll block HelpOperation on all sudo-protected paths.
if !ret.RootPrivs && opts.RootPrivsRequired && req.Operation != logical.HelpOperation {
return ret
}
}