From: Fiona Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH manager 1/6] api: vzdump: soften parameter permission checks
Date: Wed, 16 Nov 2022 15:04:30 +0100 [thread overview]
Message-ID: <20221116140435.93067-2-f.ebner@proxmox.com> (raw)
In-Reply-To: <20221116140435.93067-1-f.ebner@proxmox.com>
Allows sufficiently privileged users to pass-in retention and
performance parameters for manual backup, but keeps tmpdir, dumpdir
and script root-only. Such users could already edit the job
accordingly, so essentially not granting anything new.
Suggested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
PVE/API2/Backup.pm | 15 ++++++++++-----
PVE/API2/VZDump.pm | 25 ++++++++++++++++++-------
2 files changed, 28 insertions(+), 12 deletions(-)
diff --git a/PVE/API2/Backup.pm b/PVE/API2/Backup.pm
index 3a079874..6aef5bb7 100644
--- a/PVE/API2/Backup.pm
+++ b/PVE/API2/Backup.pm
@@ -40,14 +40,19 @@ my $vzdump_job_id_prop = {
maxLength => 50
};
-my $assert_param_permission = sub {
- my ($param, $user) = @_;
+# NOTE: also used by the vzdump API call.
+sub assert_param_permission_common {
+ my ($rpcenv, $user, $param) = @_;
return if $user eq 'root@pam'; # always OK
for my $key (qw(tmpdir dumpdir script)) {
raise_param_exc({ $key => "Only root may set this option."}) if exists $param->{$key};
}
-};
+
+ if (defined($param->{bwlimit}) || defined($param->{ionice}) || defined($param->{performance})) {
+ $rpcenv->check($user, "/", [ 'Sys.Modify' ]);
+ }
+}
my $convert_to_schedule = sub {
my ($job) = @_;
@@ -207,7 +212,7 @@ __PACKAGE__->register_method({
my $rpcenv = PVE::RPCEnvironment::get();
my $user = $rpcenv->get_user();
- $assert_param_permission->($param, $user);
+ assert_param_permission_common($rpcenv, $user, $param);
if (my $pool = $param->{pool}) {
$rpcenv->check_pool_exist($pool);
@@ -419,7 +424,7 @@ __PACKAGE__->register_method({
my $rpcenv = PVE::RPCEnvironment::get();
my $user = $rpcenv->get_user();
- $assert_param_permission->($param, $user);
+ assert_param_permission_common($rpcenv, $user, $param);
if (my $pool = $param->{pool}) {
$rpcenv->check_pool_exist($pool);
diff --git a/PVE/API2/VZDump.pm b/PVE/API2/VZDump.pm
index 30d47825..8e873c05 100644
--- a/PVE/API2/VZDump.pm
+++ b/PVE/API2/VZDump.pm
@@ -14,12 +14,25 @@ use PVE::Tools qw(extract_param);
use PVE::VZDump::Common;
use PVE::VZDump;
+use PVE::API2::Backup;
use PVE::API2Tools;
use Data::Dumper; # fixme: remove
use base qw(PVE::RESTHandler);
+my sub assert_param_permission_vzdump {
+ my ($rpcenv, $user, $param) = @_;
+ return if $user eq 'root@pam'; # always OK
+
+ PVE::API2::Backup::assert_param_permission_common($rpcenv, $user, $param);
+
+ if (!$param->{dumpdir} && (defined($param->{maxfiles}) || defined($param->{'prune-backups'}))) {
+ my $storeid = $param->{storage} || 'local';
+ $rpcenv->check($user, "/storage/$storeid", [ 'Datastore.Allocate' ]);
+ } # no else branch, because dumpdir is root-only
+}
+
__PACKAGE__->register_method ({
name => 'vzdump',
path => '',
@@ -27,9 +40,10 @@ __PACKAGE__->register_method ({
description => "Create backup.",
permissions => {
description => "The user needs 'VM.Backup' permissions on any VM, and "
- ."'Datastore.AllocateSpace' on the backup storage. The 'maxfiles', 'prune-backups', "
- ."'tmpdir', 'dumpdir', 'script', 'bwlimit', 'performance' and 'ionice' parameters are "
- ."restricted to the 'root\@pam' user.",
+ ."'Datastore.AllocateSpace' on the backup storage. The 'tmpdir', 'dumpdir' and "
+ ."'script' parameters are restricted to the 'root\@pam' user. The 'maxfiles' and "
+ ."'prune-backups' settings require 'Datastore.Allocate' on the backup storage. The "
+ ."'bwlimit', 'performance' and 'ionice' parameters require 'Sys.Modify' on '/'.",
user => 'all',
},
protected => 1,
@@ -62,10 +76,7 @@ __PACKAGE__->register_method ({
if $param->{stdout};
}
- for my $key (qw(maxfiles prune-backups tmpdir dumpdir script bwlimit performance ionice)) {
- raise_param_exc({ $key => "Only root may set this option."})
- if defined($param->{$key}) && ($user ne 'root@pam');
- }
+ assert_param_permission_vzdump($rpcenv, $user, $param);
PVE::VZDump::verify_vzdump_parameters($param, 1);
--
2.30.2
next prev parent reply other threads:[~2022-11-16 14:04 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-16 14:04 [pve-devel] [PATCH-SERIES manager] backup permission improvements Fiona Ebner
2022-11-16 14:04 ` Fiona Ebner [this message]
2022-11-21 14:58 ` [pve-devel] applied: [PATCH manager 1/6] api: vzdump: soften parameter permission checks Thomas Lamprecht
2022-11-16 14:04 ` [pve-devel] [PATCH manager 2/6] api: backup: update: turn delete into a hash Fiona Ebner
2022-11-16 14:04 ` [pve-devel] [PATCH manager 3/6] api: backup: update: allow only deleting Fiona Ebner
2022-11-16 14:04 ` [pve-devel] [PATCH manager 4/6] api: backup: update: check permissions of delete params too Fiona Ebner
2022-11-16 14:04 ` [pve-devel] [PATCH manager 5/6] api: backup: require Datastore.Allocate on storage Fiona Ebner
2022-11-16 14:04 ` [pve-devel] [PATCH manager 6/6] api: backup/vzdump: add get_storage_param helper Fiona Ebner
2023-04-05 7:43 ` [pve-devel] [PATCH-SERIES manager] backup permission improvements Fiona Ebner
2023-06-06 6:33 ` Fiona Ebner
2023-06-07 14:58 ` [pve-devel] applied: " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221116140435.93067-2-f.ebner@proxmox.com \
--to=f.ebner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.