From: Oguz Bektas <o.bektas@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH container 3/4] fix #2582: api: use common helper for checking root privileges
Date: Wed, 5 Jan 2022 16:22:14 +0100 [thread overview]
Message-ID: <20220105152215.1307583-4-o.bektas@proxmox.com> (raw)
In-Reply-To: <20220105152215.1307583-1-o.bektas@proxmox.com>
we just check if the authenticated user has the 'Sys.Root' privilege on
a given path and set the $is_root variable accordingly if so.
tagged as fix for #2582 since with this series the usecase on the
bugreport should be fulfilled.
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
---
src/PVE/API2/LXC.pm | 2 +-
src/PVE/LXC.pm | 9 ++++++---
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm
index 7573814..64ecc5f 100644
--- a/src/PVE/API2/LXC.pm
+++ b/src/PVE/API2/LXC.pm
@@ -295,7 +295,7 @@ __PACKAGE__->register_method({
my $conf = {};
- my $is_root = $authuser eq 'root@pam';
+ my $is_root = PVE::Tools::check_for_root("/vms");
my $no_disk_param = {};
my $mp_param = {};
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index b07d986..1844b04 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -1254,7 +1254,9 @@ sub template_create {
sub check_ct_modify_config_perm {
my ($rpcenv, $authuser, $vmid, $pool, $oldconf, $newconf, $delete, $unprivileged) = @_;
- return 1 if $authuser eq 'root@pam';
+ my $is_root = PVE::Tools::check_for_root("/vms/$vmid");
+ return 1 if $is_root;
+
my $storage_cfg = PVE::Storage::config();
my $check = sub {
@@ -1320,12 +1322,13 @@ sub check_ct_modify_config_perm {
}
}
raise_perm_exc("changing feature flags (except nesting) is only allowed for root\@pam")
- if $other_changed;
+ if $other_changed && !$is_root;
$rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Allocate'])
if $nesting_changed;
} elsif ($opt eq 'hookscript') {
# For now this is restricted to root@pam
- raise_perm_exc("changing the hookscript is only allowed for root\@pam");
+ raise_perm_exc("changing the hookscript is only allowed for root\@pam")
+ if !$is_root;
} else {
$rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Options']);
}
--
2.30.2
next prev parent reply other threads:[~2022-01-05 15:22 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-05 15:22 [pve-devel] [RFC access-control common container qemu-server 0/4] #2582: Sys.Root privilege Oguz Bektas
2022-01-05 15:22 ` [pve-devel] [RFC access-control 1/4] add " Oguz Bektas
2022-01-05 15:22 ` [pve-devel] [RFC common 2/4] tools: add 'check_for_root' helper Oguz Bektas
2022-01-10 13:45 ` Fabian Grünbichler
2022-01-05 15:22 ` Oguz Bektas [this message]
2022-01-05 15:22 ` [pve-devel] [RFC qemu-server 4/4] api: use common helper for checking root privileges Oguz Bektas
2022-01-10 13:45 ` Fabian Grünbichler
2022-01-10 13:45 ` [pve-devel] [RFC access-control common container qemu-server 0/4] #2582: Sys.Root privilege Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220105152215.1307583-4-o.bektas@proxmox.com \
--to=o.bektas@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.