Origin: commit:a3d696b6d6400e6b66a39fbbd01225edbda2ee1c
Author: Danny Auble <da@schedmd.com>
Reviewed-by: Shengqi Chen <harry@debian.org>
Bug: https://security-tracker.debian.org/tracker/CVE-2025-4390
Date: Wed, 7 May 2025 10:39:15 -0600
Description: [PATCH] Fix issue where a coord could add a user with elevated
 privileges

Changelog: Fix security issue where a coordinator could add a user with
 elevated privileges. CVE-2025-43904.
Issue: 50391
---
 .../accounting_storage/mysql/as_mysql_user.c    | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

--- a/src/plugins/accounting_storage/mysql/as_mysql_user.c
+++ b/src/plugins/accounting_storage/mysql/as_mysql_user.c
@@ -275,6 +275,7 @@
 	int affect_rows = 0;
 	List assoc_list;
 	List wckey_list;
+	bool is_admin = false;
 
 	if (check_connection(mysql_conn) != SLURM_SUCCESS)
 		return ESLURM_DB_CONNECTION;
@@ -295,6 +296,8 @@
 		 * these accounts if they are coordinators of the
 		 * parent they are trying to add to
 		 */
+	} else {
+		is_admin = true;
 	}
 
 	assoc_list = list_create(slurmdb_destroy_assoc_rec);
@@ -318,6 +321,11 @@
 			   (long)now, (long)now, object->name);
 
 		if (object->admin_level != SLURMDB_ADMIN_NOTSET) {
+			if (!is_admin) {
+				error("Only admins/operators can add an admin/operator");
+				rc = ESLURM_ACCESS_DENIED;
+				break;
+			}
 			xstrcat(cols, ", admin_level");
 			xstrfmtcat(vals, ", %u", object->admin_level);
 			xstrfmtcat(extra, ", admin_level=%u",
@@ -416,7 +424,7 @@
 	list_iterator_destroy(itr);
 	xfree(user_name);
 
-	if (rc != SLURM_ERROR) {
+	if (rc == SLURM_SUCCESS) {
 		if (txn_query) {
 			xstrcat(txn_query, ";");
 			rc = mysql_db_query(mysql_conn,
