mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-17 12:07:02 +02:00
Code Issues Projects Releases Wiki Activity

Fix HelpOperation on sudo-protected paths (#18568)

Browse Source 
* Fix HelpOperation on sudo-protected paths

Fixes #18566

* Add changelog
This commit is contained in:
Max Bowsher 2023-01-10 18:17:16 +00:00 committed by GitHub
parent 1fca38a4ae
commit 4758cc8f86
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/18568.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
core: Fix spurious `permission denied` for all HelpOperations on sudo-protected paths
```

4
vault/acl.go
View File

@ -719,7 +719,9 @@ func (c *Core) performPolicyChecks(ctx context.Context, acl *ACL, te *logical.To
if !ret.ACLResults.Allowed {
return ret
}
if !ret.RootPrivs && opts.RootPrivsRequired {
// Since HelpOperation was fast-pathed inside AllowOperation, RootPrivs will not have been populated in this
// case, so we need to special-case that here as well, or we'll block HelpOperation on all sudo-protected paths.
if !ret.RootPrivs && opts.RootPrivsRequired && req.Operation != logical.HelpOperation {
return ret
}
}