From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id EFCB6604DD for ; Mon, 10 Jan 2022 14:46:06 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id EA1101A39 for ; Mon, 10 Jan 2022 14:45:36 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id D2A3B1A2E for ; Mon, 10 Jan 2022 14:45:35 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id AC5A246C18 for ; Mon, 10 Jan 2022 14:45:35 +0100 (CET) Date: Mon, 10 Jan 2022 14:45:28 +0100 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= To: Proxmox VE development discussion References: <20220105152215.1307583-1-o.bektas@proxmox.com> In-Reply-To: <20220105152215.1307583-1-o.bektas@proxmox.com> MIME-Version: 1.0 User-Agent: astroid/0.15.0 (https://github.com/astroidmail/astroid) Message-Id: <1641818848.hfyfihl851.astroid@nora.none> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL 0.070 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [RFC access-control common container qemu-server 0/4] #2582: Sys.Root privilege X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jan 2022 13:46:07 -0000 On January 5, 2022 4:22 pm, Oguz Bektas wrote: > sending this in as RFC, because i think it needs a bit of ironing > out and discussing the quirky bits ;) thanks for picking up the work on this seemingly-open-forever bug ;)=20 summarizing the previous discussions would be helpful for a=20 cover-letter: - why do we want/need/... this? (i.e., what problem(s) does this solve?) - other possible approaches besides a new privilege (and why prefer a=20 priv over them?) - clear semantics of the new privilege (e.g., below about whether it=20 implies all other privs or not) > i'm not done with pve-manager patch so that'll come with the v1, though A= PI > should work for testing the changes. besides pve-manager, there are also possible call-sites in=20 pve-access-control and pve-cluster - did you check those? >=20 > it probably makes sense to also add a helper there, since at the moment > we only check if Proxmox.UserName =3D=3D=3D 'root@pam' or in some cases > specific permissions for storage and so forth, in order to decide > whether to show/enable some GUI elements. >=20 > container API already works pretty well. VM API should also work but i ha= ven't > tested this extensively w.r.t. storage and migration. >=20 > some questions that popped up in my head: >=20 > + should adding 'Sys.Root' privilege to a user give them all available > privileges on that path? this would make sense as having a > root-equivalent privilege should be already enough (otherwise it doesn't > have much of a point?). since at some places we have things like: hmm, this is a tricky question and probably one that we should document=20 explicitly. given that Sys.Root implies that you are allowed to do=20 dangerous stuff that easily allows you to obtain root-level access,=20 using the existing "'root@pam' has all privileges" as "'Sys.root'=20 implies all other privileges on current path" probably makes sense and=20 simplifies the logic considerably. >=20 > ------- > } elsif ($target_vmid) { > $rpcenv->check_vm_perm($authuser, $target_vmid, undef, ['VM.C= onfig.Disk']) > - if $authuser ne 'root@pam'; > + if !$is_root; this is just a short-cut to avoid the (possibly expensive) check, as the=20 check cannot ever fail for root@pam by definition. I think these could=20 just stay as checking for the user - if we include 'Sys.Root' the=20 short-cut is no longer cheap (and obviously, if 'Sys.Root' does not=20 imply having all the other privs, changing it would be wrong as well). > ------- >=20 > where one could theoretically have root-eq privs but not the 'VM.Config.D= isk' for the target vm... >=20 >=20 > + $authuser could also be an (optional?) parameter for the helper in > PVE::Tools, so that we could check arbitrary users and not only the curre= nt > one. also on most of these we already call $rpcenv->get_user() before doi= ng the > check, so we could spare that call inside the helper if we do that > consistently. see review for that patch >=20 > + would it make sense to be able to give 'Sys.Root' on a single node (lik= e on > /nodes/foo instead of the whole cluster)? this seemed like a rabbithole t= o me > since we'd have to lock down quite a bit of stuff to limit movement from = one > cluster member to the other, without any(?) worthwhile benefits? or might= make > sense to just allow 'Sys.Root' to be given on '/' (since it should be > equivalent to root@pam anyway) like you said, this is a totally different can of worms and orthogonal=20 to introducing this privilege. there are some areas where adding new ACL=20 namespaces and paths might make sense (like nodes, but also things like=20 the firewall, networks/.., ..), but those require really careful=20 evaluation as changing stuff afterwards is quite involved. this series might be a good way to go through all the places where we=20 don't have real ACLs at the moment though and categorize them: - local HW access - 'forcing' stuff (skiplock et al) - ... to determine areas where we can improve without the root@pam/Sys.Root=20 cludge (by introducing new abstractions / ACL namespaces / privileges). >=20 > + should root@pam have 'Sys.Root' by default? or does it make sense to st= ill > differentiate the "real" root user and the "impersonated" one? see review for helper patch and comments above ;) >=20 > pve-access-control: >=20 > Oguz Bektas (1): > add Sys.Root privilege >=20 > src/PVE/AccessControl.pm | 1 + > 1 file changed, 1 insertion(+) >=20 > pve-common: >=20 > Oguz Bektas (1): > tools: add 'check_for_root' helper >=20 > src/PVE/Tools.pm | 9 +++++++++ > 1 file changed, 9 insertions(+) >=20 > pve-container: >=20 > Oguz Bektas (1): > fix #2582: api: use common helper for checking root privileges >=20 > src/PVE/API2/LXC.pm | 5 ++--- > src/PVE/LXC.pm | 8 +++++--- > 2 files changed, 7 insertions(+), 6 deletions(-) >=20 > qemu-server: >=20 > Oguz Bektas (1): > api: use common helper for checking root privileges >=20 > PVE/API2/Qemu.pm | 74 ++++++++++++++++++++++++++++++++---------------- > 1 file changed, 49 insertions(+), 25 deletions(-) >=20 >=20 > --=20 > 2.30.2 >=20 >=20 > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >=20 >=20 >=20