all lists on lists.proxmox.com
 help / color / mirror / Atom feed
* [pbs-devel] [PATCH proxmox-backup 1/3] api: sync: restrict edit permissions for push sync jobs
@ 2024-11-27 11:44 Christian Ebner
  2024-11-27 11:44 ` [pbs-devel] [PATCH proxmox-backup 2/3] api: sync: include required permissions for push direction Christian Ebner
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Christian Ebner @ 2024-11-27 11:44 UTC (permalink / raw)
  To: pbs-devel

Users require `Datastore.Audit` on the source datastore to read sync
jobs. Further restrict also the permissions to modify sync jobs in
push direction to include the `Datastore.Audit` permission on the
source, as otherwise a user is able to create or edit sync jobs in
push direction, but not able to see them.

Reported-by: Friedrich Weber <f.weber@proxmox.com>
Suggested-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
---
 src/api2/config/sync.rs | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/api2/config/sync.rs b/src/api2/config/sync.rs
index bc012744a..eb97ef940 100644
--- a/src/api2/config/sync.rs
+++ b/src/api2/config/sync.rs
@@ -129,6 +129,11 @@ pub fn check_sync_job_modify_access(
             }
 
             let source_privs = user_info.lookup_privs(auth_id, &job.acl_path());
+            // only allow to modify jobs the user is also allowed to read
+            if source_privs & PRIV_DATASTORE_AUDIT == 0 {
+                return false;
+            }
+
             // check user is allowed to read from (local) source datastore/namespace, independent
             // of job ownership
             if source_privs & PRIV_DATASTORE_READ != 0 {
-- 
2.39.5



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2024-11-27 12:25 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-11-27 11:44 [pbs-devel] [PATCH proxmox-backup 1/3] api: sync: restrict edit permissions for push sync jobs Christian Ebner
2024-11-27 11:44 ` [pbs-devel] [PATCH proxmox-backup 2/3] api: sync: include required permissions for push direction Christian Ebner
2024-11-27 11:44 ` [pbs-devel] [PATCH proxmox-backup 3/3] docs: mention required source audit permission for push sync jobs Christian Ebner
2024-11-27 12:25 ` [pbs-devel] applied-series: [PATCH proxmox-backup 1/3] api: sync: restrict edit permissions " Thomas Lamprecht

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal