From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Friedrich Weber <f.weber@proxmox.com>,
Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH guest-common v2 1/6] guest helpers: add helper to overrule active tasks of a specific type
Date: Sat, 6 Apr 2024 10:37:19 +0200 [thread overview]
Message-ID: <8616c9a1-9e2c-4147-bd55-c4c8e8511ce4@proxmox.com> (raw)
In-Reply-To: <3106df5e-8b31-41f2-b66a-70c433faa4c1@proxmox.com>
Am 05/04/2024 um 15:13 schrieb Friedrich Weber:
> On 04/04/2024 17:20, Thomas Lamprecht wrote:
>> Or does it even make sense to check this at all?
>> As long as the user has the rights to execute a stop they probably
>> should also be able to force it at any time, even for other users?
>
> The usecase sounds reasonable, but would technically amount to a small
> privilege escalation: Currently, if user A and user B both have
> PVEVMUser and user A starts a `vzshutdown` task, user B must have
> `Sys.Modify` to kill the task.
>
Hmm, yeah, this is definitively something one could argue about as
we currently do not have much overruling functionality of tasks triggered
by other users that can manage a specific resource, but not the whole
system. So this is essential new territory w.r.t. semantics, and we can
also adapt new ones, albeit they should certainly not be completely
unexpected.
>> Maybe make this optional and only enforce it for users that do not
>> have some more powerful priv?
>
> We could introduce a similar check as for the DELETE
> /nodes/{node}/tasks/{upid} endpoint: Users can always overrule their own
> guest tasks, and with `Sys.Modify` they can overrule any guest task (for
> guests for which they have the necessary permission).
Yeah, I think that would be a safe bet for now.
> Still, right now I think the primary motivation for this overruling
> feature is to save GUI users some frustration and/or clicks. In this
> scenario, a user will overrule only their own tasks, which is possible
> with the current check. What do you think about keeping the check as it
> is for now, and making it more permissive once the need arises?
I think that allowing users that hold the respective Sys.Modify and
VM.PowerMgmt to overrule any tasks from the start wouldn't be to much
"speculative future-proofing" but rather something expected while still
safe.
FWIW, you could also drop the $authuser then and just get it from
the RPCEnv singleton available in all API call-paths and then do
the permission check in the helper directly.
This would IMO be also a bit better w.r.t. conveying why we do it this
way.
next prev parent reply other threads:[~2024-04-06 8:37 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-30 17:10 [pve-devel] [PATCH guest-common/container/qemu-server/manager v2 0/6] fix #4474: stop tasks may overrule shutdown tasks Friedrich Weber
2024-01-30 17:10 ` [pve-devel] [PATCH guest-common v2 1/6] guest helpers: add helper to overrule active tasks of a specific type Friedrich Weber
2024-04-04 15:20 ` Thomas Lamprecht
2024-04-05 13:13 ` Friedrich Weber
2024-04-06 8:37 ` Thomas Lamprecht [this message]
2024-04-08 8:38 ` Friedrich Weber
2024-01-30 17:10 ` [pve-devel] [PATCH container v2 2/6] api: status: move config locking from API handler into worker Friedrich Weber
2024-04-04 15:26 ` [pve-devel] applied: " Thomas Lamprecht
2024-04-05 13:16 ` Friedrich Weber
2024-01-30 17:10 ` [pve-devel] [PATCH container v2 3/6] fix #4474: lxc api: add overrule-shutdown parameter to stop endpoint Friedrich Weber
2024-04-06 15:07 ` Thomas Lamprecht
2024-04-08 8:59 ` Friedrich Weber
2024-01-30 17:10 ` [pve-devel] [PATCH qemu-server v2 4/6] fix #4474: qemu " Friedrich Weber
2024-01-30 17:10 ` [pve-devel] [PATCH manager v2 5/6] ui: fix typo to make pve-cluster-tasks store globally available Friedrich Weber
2024-01-30 17:10 ` [pve-devel] [PATCH manager v2 6/6] fix #4474: ui: guest stop: offer to overrule active shutdown tasks Friedrich Weber
2024-04-03 6:55 ` [pve-devel] [PATCH guest-common/container/qemu-server/manager v2 0/6] fix #4474: stop tasks may overrule " Friedrich Weber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8616c9a1-9e2c-4147-bd55-c4c8e8511ce4@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=f.weber@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal