From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id DBDDA1FF13E for ; Fri, 17 Apr 2026 11:49:24 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 833711CC2E; Fri, 17 Apr 2026 11:49:24 +0200 (CEST) Message-ID: Date: Fri, 17 Apr 2026 11:48:49 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Beta Subject: Re: [PATCH proxmox/yew-pwt/datacenter-manager/installer v3 00/38] add auto-installer integration To: Lukas Wagner , Christoph Heiss , pdm-devel@lists.proxmox.com References: <20260403165437.2166551-1-c.heiss@proxmox.com> <8079685a-be9c-4e28-954c-bd1debe7ce7d@proxmox.com> Content-Language: en-US From: Dominik Csapak In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1776419250032 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.101 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: B4ORTE5DDHNUXSHHPH47K22SGBWD2BCL X-Message-ID-Hash: B4ORTE5DDHNUXSHHPH47K22SGBWD2BCL X-MailFrom: d.csapak@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Datacenter Manager development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On 4/17/26 11:23 AM, Lukas Wagner wrote: > On Fri Apr 17, 2026 at 11:10 AM CEST, Dominik Csapak wrote: >> also two things i forgot: >> >> i think we could make the endpoint available without authentication? >> at least that's what i would have expected, since the current >> http endpoints also had to be public? >> >> second things is about the tokens + acl, I'd probably >> use the existing token acl mechanism, so instead of >> having custom tokens + a token list per answer, >> >> use the standard pdm tokens + an acl path (e.g. >> /system/auto-installation/answers/ ) maybe a separate privilege >> could make sense here, so the token does not have access >> to anything else? >> > > Check out my response to v2, which is (I think) the main reason why it > is implemented like it is right now: > > https://lore.proxmox.com/all/DETMUXY1Q877.32G593TWC52WW@proxmox.com/T/#u > ok i see, but i have some counter arguments to that, for brevity, here is part of your response from that mail: --- I think this is dangerous. While the answer-file does not leak any passwords (seems like the root password is hashed), it still contains semi-sensitive data (email address, SSH key, FQDN, etc.). Also, since each POST creates a new entry in the installations JSON file, an unauthenticated user could abuse this to make the PDM system run out of disk space (or simply disturb operations by creating bogus entries). --- We already had the requirement for a http endpoint to be unauthenticated so for a secured and protected network, this should be a non issue also i'm not for making it unauthenticated for all responses, but make it the admins choice. as for the DOS vector of pdm, we could check if the user was authenticated, and only generate the data then. but how much data is that really? e.g. each api call (authenticated or not) creates a new line in the access log. so with enough api calls, i can fill up the disk too...