From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH v1 container 3/5] fix #2582: api: add checks for 'SuperUser' privilege for root-only options
Date: Thu, 10 Feb 2022 16:30:02 +0100 [thread overview]
Message-ID: <1644493686.5emiz9u4bh.astroid@nora.none> (raw)
In-Reply-To: <<20220208131011.752134-4-o.bektas@proxmox.com>
On February 8, 2022 2:10 pm, Oguz Bektas wrote:
> this way we can allow non-root users to act as a SU on specific
> root-only API paths by giving them the built-in SA role or a custom role
> with the SU privilege included.
>
> Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
> ---
> src/PVE/API2/LXC.pm | 13 ++++++-------
> src/PVE/API2/LXC/Status.pm | 8 ++++++--
> src/PVE/LXC.pm | 9 ++++++---
> 3 files changed, 18 insertions(+), 12 deletions(-)
>
> diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm
> index 7573814..b24e405 100644
> --- a/src/PVE/API2/LXC.pm
> +++ b/src/PVE/API2/LXC.pm
> @@ -295,7 +295,7 @@ __PACKAGE__->register_method({
>
> my $conf = {};
>
> - my $is_root = $authuser eq 'root@pam';
> + my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser, "/vms/$vmid", ['SuperUser'], 1);
>
> my $no_disk_param = {};
> my $mp_param = {};
> @@ -330,8 +330,8 @@ __PACKAGE__->register_method({
> my $mp = $mountpoint->{mp};
>
> if ($mountpoint->{type} ne 'volume') { # bind or device
> - die "Only root can pass arbitrary filesystem paths.\n"
> - if !$is_root;
> + die "Only superusers can pass arbitrary filesystem paths.\n"
> + if !$is_superuser;
schema still has root-only in the description, both here and in the
update path..
> } else {
> my ($sid, $volname) = PVE::Storage::parse_volume_id($volid);
> &$check_and_activate_storage($sid);
> @@ -371,7 +371,7 @@ __PACKAGE__->register_method({
> # causing it to restore the raw lxc entries, among which there may be
> # 'lxc.idmap' entries. We need to make sure that the extracted contents
> # of the container match up with the restored configuration afterwards:
> - $conf->{lxc} = $orig_conf->{lxc} if $is_root;
> + $conf->{lxc} = $orig_conf->{lxc} if $is_superuser;
>
> $conf->{unprivileged} = $orig_conf->{unprivileged}
> if !defined($unprivileged) && defined($orig_conf->{unprivileged});
> @@ -405,8 +405,7 @@ __PACKAGE__->register_method({
> my $type = $mountpoint->{type};
> die "restoring rootfs to $type mount is only possible by specifying -rootfs manually!\n"
> if ($ms eq 'rootfs');
> - die "restoring '$ms' to $type mount is only possible for root\n"
> - if !$is_root;
> + die "restoring '$ms' to $type mount is only possible for root\n" if !$is_superuser;
still references root
>
> if ($mountpoint->{backup}) {
> warn "WARNING - unsupported configuration!\n";
> @@ -447,7 +446,7 @@ __PACKAGE__->register_method({
>
> if ($restore) {
> print "merging backed-up and given configuration..\n";
> - PVE::LXC::Create::restore_configuration($vmid, $storage_cfg, $archive, $rootdir, $conf, !$is_root, $unique, $skip_fw_config_restore);
> + PVE::LXC::Create::restore_configuration($vmid, $storage_cfg, $archive, $rootdir, $conf, !$is_superuser, $unique, $skip_fw_config_restore);
> my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir);
> $lxc_setup->template_fixup($conf);
> } else {
> diff --git a/src/PVE/API2/LXC/Status.pm b/src/PVE/API2/LXC/Status.pm
> index f7e3128..791cdc6 100644
> --- a/src/PVE/API2/LXC/Status.pm
> +++ b/src/PVE/API2/LXC/Status.pm
> @@ -150,9 +150,11 @@ __PACKAGE__->register_method({
> my $node = extract_param($param, 'node');
> my $vmid = extract_param($param, 'vmid');
>
> + my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser, "/vms/$vmid", ['SuperUser'], 1);
> +
> my $skiplock = extract_param($param, 'skiplock');
> raise_param_exc({ skiplock => "Only root may use this option." })
nit: message needs updating (repeated a few times below)
> - if $skiplock && $authuser ne 'root@pam';
> + if $skiplock && !$is_superuser;
>
> die "CT $vmid already running\n" if PVE::LXC::check_running($vmid);
>
> @@ -234,9 +236,11 @@ __PACKAGE__->register_method({
> my $node = extract_param($param, 'node');
> my $vmid = extract_param($param, 'vmid');
>
> + my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser, "/vms/$vmid", ['SuperUser'], 1);
> +
> my $skiplock = extract_param($param, 'skiplock');
> raise_param_exc({ skiplock => "Only root may use this option." })
> - if $skiplock && $authuser ne 'root@pam';
> + if $skiplock && !$is_superuser;
>
> die "CT $vmid not running\n" if !PVE::LXC::check_running($vmid);
>
> diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
> index b07d986..6b5125c 100644
> --- a/src/PVE/LXC.pm
> +++ b/src/PVE/LXC.pm
> @@ -1254,7 +1254,9 @@ sub template_create {
> sub check_ct_modify_config_perm {
> my ($rpcenv, $authuser, $vmid, $pool, $oldconf, $newconf, $delete, $unprivileged) = @_;
>
> - return 1 if $authuser eq 'root@pam';
> + my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser, "/vms/$vmid", ['SuperUser']);
> + return 1 if $is_superuser;
so.. 'SuperUser' on its own should only skip those parts where root@pam
was previously a requirement on top of other checks, but instead
'SuperUser' can now modify the config however even with no other privs?
> +
> my $storage_cfg = PVE::Storage::config();
>
> my $check = sub {
> @@ -1320,12 +1322,13 @@ sub check_ct_modify_config_perm {
here there is the non-volume part that is still root-only, with no
comment about why that one is not switched to 'SuperUser'?
also, features for privileged containers is still root-only (should
probably require VM.Allocate + SuperUser, when looking at the
create/restore path).
> }
> }
> raise_perm_exc("changing feature flags (except nesting) is only allowed for root\@pam")
wrong message now
> - if $other_changed;
> + if $other_changed && !$is_superuser;
> $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Allocate'])
> if $nesting_changed;
> } elsif ($opt eq 'hookscript') {
> # For now this is restricted to root@pam
> - raise_perm_exc("changing the hookscript is only allowed for root\@pam");
> + raise_perm_exc("changing the hookscript is only allowed for root\@pam")
> + if !$is_superuser;
comment, message and code don't agree
> } else {
> $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Options']);
> }
> --
> 2.30.2
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
next prev parent reply other threads:[~2022-02-10 15:30 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-08 13:10 [pve-devel] [PATCH v1 access-control++ 0/5] SuperUser privilege Oguz Bektas
2022-02-08 13:10 ` [pve-devel] [PATCH v1 access-control 1/5] add default "SuperAdministrator" role with the new "SuperUser" privilege Oguz Bektas
2022-02-08 13:10 ` [pve-devel] [PATCH v1 access-control 2/5] tfa: allow superusers to edit root@pam tfa Oguz Bektas
[not found] ` <<20220208131011.752134-3-o.bektas@proxmox.com>
2022-02-10 15:30 ` Fabian Grünbichler
2022-02-08 13:10 ` [pve-devel] [PATCH v1 container 3/5] fix #2582: api: add checks for 'SuperUser' privilege for root-only options Oguz Bektas
[not found] ` <<20220208131011.752134-4-o.bektas@proxmox.com>
2022-02-10 15:30 ` Fabian Grünbichler [this message]
2022-02-08 13:10 ` [pve-devel] [PATCH v1 manager 4/5] change 'root@pam' checks with 'SuperUser' capability check Oguz Bektas
[not found] ` <<20220208131011.752134-5-o.bektas@proxmox.com>
2022-02-10 15:29 ` Fabian Grünbichler
2022-02-25 10:13 ` Dominik Csapak
2022-02-25 12:24 ` Thomas Lamprecht
2022-02-08 13:10 ` [pve-devel] [PATCH v1 qemu-server 5/5] add SuperUser privilege checks for root-only options Oguz Bektas
[not found] ` <<20220208131011.752134-6-o.bektas@proxmox.com>
2022-02-10 15:29 ` Fabian Grünbichler
2022-02-10 15:28 ` [pve-devel] [PATCH v1 access-control++ 0/5] SuperUser privilege Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1644493686.5emiz9u4bh.astroid@nora.none \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.