unable to impersonate users when 2fa is enabled

RESOLVED FIXED

Status

()

bugzilla.mozilla.org
General
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: glob, Assigned: dkl)

Tracking

Production

Details

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

3 years ago
unable to impersonate users when 2fa is enabled - the following error is displayed after providing the 2fa code:

> Your Bugzilla password is required to begin a sudo session. Please go back and enter your password.

Updated

3 years ago
Blocks: 1221428
(Assignee)

Updated

3 years ago
Assignee: nobody → dkl
Status: NEW → ASSIGNED
(Assignee)

Comment 1

3 years ago
Created attachment 8683453 [details] [diff] [review]
1221423_1.patch

Had to refactor how sudo works in relogin.cgi quite a bit to make this work with mfa unfortunately.
Attachment #8683453 - Flags: review?(glob)
(Reporter)

Comment 2

3 years ago
Comment on attachment 8683453 [details] [diff] [review]
1221423_1.patch

Review of attachment 8683453 [details] [diff] [review]:
-----------------------------------------------------------------

::: relogin.cgi
@@ +103,5 @@
> +    my $crypt_password = $user->cryptpassword;
> +    if (!$mfa_token
> +        && (!$current_password
> +            || (bz_crypt($current_password, $crypt_password) ne $crypt_password)))
> +    {

passing a mfa_token param for a user that doesn't have mfa enabled bypasses the password check (because $mfa_token will be true, and $user->mfa will be false).
Attachment #8683453 - Flags: review?(glob) → review-
(Assignee)

Comment 3

3 years ago
Created attachment 8683734 [details] [diff] [review]
1221423_2.patch

Thanks for the review. Hopefully logic is better in this version.
Attachment #8683453 - Attachment is obsolete: true
Attachment #8683734 - Flags: review?(glob)
(Reporter)

Comment 4

3 years ago
Comment on attachment 8683734 [details] [diff] [review]
1221423_2.patch

Review of attachment 8683734 [details] [diff] [review]:
-----------------------------------------------------------------

r=glob
Attachment #8683734 - Flags: review?(glob) → review+
(Assignee)

Comment 5

3 years ago
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   4c8b7b1..4f66eb9  master -> master
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
(Assignee)

Comment 6

3 years ago
Fix test bustage

To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   4f66eb9..2038430  master -> master
You need to log in before you can comment on or make changes to this bug.