From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <f.gruenbichler@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 8D8E661DEE
 for <pve-devel@lists.proxmox.com>; Thu, 10 Feb 2022 16:30:40 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 846501F26A
 for <pve-devel@lists.proxmox.com>; Thu, 10 Feb 2022 16:30:10 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 59FA31F261
 for <pve-devel@lists.proxmox.com>; Thu, 10 Feb 2022 16:30:09 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 2DD8146DD7
 for <pve-devel@lists.proxmox.com>; Thu, 10 Feb 2022 16:30:09 +0100 (CET)
Date: Thu, 10 Feb 2022 16:30:02 +0100
From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
References: <20220208131011.752134-1-o.bektas@proxmox.com>
 <20220208131011.752134-4-o.bektas@proxmox.com>
In-Reply-To: <<20220208131011.752134-4-o.bektas@proxmox.com>
MIME-Version: 1.0
User-Agent: astroid/0.15.0 (https://github.com/astroidmail/astroid)
Message-Id: <1644493686.5emiz9u4bh.astroid@nora.none>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.193 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 T_SCC_BODY_TEXT_LINE    -0.01 -
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [status.pm, proxmox.com, lxc.pm]
Subject: Re: [pve-devel] [PATCH v1 container 3/5] fix #2582: api: add checks
 for 'SuperUser' privilege for root-only options
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Thu, 10 Feb 2022 15:30:40 -0000

On February 8, 2022 2:10 pm, Oguz Bektas wrote:
> this way we can allow non-root users to act as a SU on specific
> root-only API paths by giving them the built-in SA role or a custom role
> with the SU privilege included.
>=20
> Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
> ---
>  src/PVE/API2/LXC.pm        | 13 ++++++-------
>  src/PVE/API2/LXC/Status.pm |  8 ++++++--
>  src/PVE/LXC.pm             |  9 ++++++---
>  3 files changed, 18 insertions(+), 12 deletions(-)
>=20
> diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm
> index 7573814..b24e405 100644
> --- a/src/PVE/API2/LXC.pm
> +++ b/src/PVE/API2/LXC.pm
> @@ -295,7 +295,7 @@ __PACKAGE__->register_method({
> =20
>  	my $conf =3D {};
> =20
> -	my $is_root =3D $authuser eq 'root@pam';
> +	my $is_superuser =3D $authuser eq 'root@pam' || $rpcenv->check($authuse=
r, "/vms/$vmid", ['SuperUser'], 1);
> =20
>  	my $no_disk_param =3D {};
>  	my $mp_param =3D {};
> @@ -330,8 +330,8 @@ __PACKAGE__->register_method({
>  	    my $mp =3D $mountpoint->{mp};
> =20
>  	    if ($mountpoint->{type} ne 'volume') { # bind or device
> -		die "Only root can pass arbitrary filesystem paths.\n"
> -		    if !$is_root;
> +		die "Only superusers can pass arbitrary filesystem paths.\n"
> +		    if !$is_superuser;

schema still has root-only in the description, both here and in the=20
update path..

>  	    } else {
>  		my ($sid, $volname) =3D PVE::Storage::parse_volume_id($volid);
>  		&$check_and_activate_storage($sid);
> @@ -371,7 +371,7 @@ __PACKAGE__->register_method({
>  			# causing it to restore the raw lxc entries, among which there may be
>  			# 'lxc.idmap' entries. We need to make sure that the extracted conten=
ts
>  			# of the container match up with the restored configuration afterward=
s:
> -			$conf->{lxc} =3D $orig_conf->{lxc} if $is_root;
> +			$conf->{lxc} =3D $orig_conf->{lxc} if $is_superuser;
> =20
>  			$conf->{unprivileged} =3D $orig_conf->{unprivileged}
>  			    if !defined($unprivileged) && defined($orig_conf->{unprivileged})=
;
> @@ -405,8 +405,7 @@ __PACKAGE__->register_method({
>  				my $type =3D $mountpoint->{type};
>  				die "restoring rootfs to $type mount is only possible by specifying =
-rootfs manually!\n"
>  				    if ($ms eq 'rootfs');
> -				die "restoring '$ms' to $type mount is only possible for root\n"
> -				    if !$is_root;
> +				die "restoring '$ms' to $type mount is only possible for root\n" if =
!$is_superuser;

still references root

> =20
>  				if ($mountpoint->{backup}) {
>  				    warn "WARNING - unsupported configuration!\n";
> @@ -447,7 +446,7 @@ __PACKAGE__->register_method({
> =20
>  		    if ($restore) {
>  			print "merging backed-up and given configuration..\n";
> -			PVE::LXC::Create::restore_configuration($vmid, $storage_cfg, $archive=
, $rootdir, $conf, !$is_root, $unique, $skip_fw_config_restore);
> +			PVE::LXC::Create::restore_configuration($vmid, $storage_cfg, $archive=
, $rootdir, $conf, !$is_superuser, $unique, $skip_fw_config_restore);
>  			my $lxc_setup =3D PVE::LXC::Setup->new($conf, $rootdir);
>  			$lxc_setup->template_fixup($conf);
>  		    } else {
> diff --git a/src/PVE/API2/LXC/Status.pm b/src/PVE/API2/LXC/Status.pm
> index f7e3128..791cdc6 100644
> --- a/src/PVE/API2/LXC/Status.pm
> +++ b/src/PVE/API2/LXC/Status.pm
> @@ -150,9 +150,11 @@ __PACKAGE__->register_method({
>  	my $node =3D extract_param($param, 'node');
>  	my $vmid =3D extract_param($param, 'vmid');
> =20
> +	my $is_superuser =3D $authuser eq 'root@pam' || $rpcenv->check($authuse=
r, "/vms/$vmid", ['SuperUser'], 1);
> +
>  	my $skiplock =3D extract_param($param, 'skiplock');
>  	raise_param_exc({ skiplock =3D> "Only root may use this option." })

nit: message needs updating (repeated a few times below)

> -	    if $skiplock && $authuser ne 'root@pam';
> +	    if $skiplock && !$is_superuser;
> =20
>  	die "CT $vmid already running\n" if PVE::LXC::check_running($vmid);
> =20
> @@ -234,9 +236,11 @@ __PACKAGE__->register_method({
>  	my $node =3D extract_param($param, 'node');
>  	my $vmid =3D extract_param($param, 'vmid');
> =20
> +	my $is_superuser =3D $authuser eq 'root@pam' || $rpcenv->check($authuse=
r, "/vms/$vmid", ['SuperUser'], 1);
> +
>  	my $skiplock =3D extract_param($param, 'skiplock');
>  	raise_param_exc({ skiplock =3D> "Only root may use this option." })
> -	    if $skiplock && $authuser ne 'root@pam';
> +	    if $skiplock && !$is_superuser;
> =20
>  	die "CT $vmid not running\n" if !PVE::LXC::check_running($vmid);
> =20
> diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
> index b07d986..6b5125c 100644
> --- a/src/PVE/LXC.pm
> +++ b/src/PVE/LXC.pm
> @@ -1254,7 +1254,9 @@ sub template_create {
>  sub check_ct_modify_config_perm {
>      my ($rpcenv, $authuser, $vmid, $pool, $oldconf, $newconf, $delete, $=
unprivileged) =3D @_;
> =20
> -    return 1 if $authuser eq 'root@pam';
> +    my $is_superuser =3D $authuser eq 'root@pam' || $rpcenv->check($auth=
user, "/vms/$vmid", ['SuperUser']);
> +    return 1 if $is_superuser;

so.. 'SuperUser' on its own should only skip those parts where root@pam=20
was previously a requirement on top of other checks, but instead=20
'SuperUser' can now modify the config however even with no other privs?

> +
>      my $storage_cfg =3D PVE::Storage::config();
> =20
>      my $check =3D sub {
> @@ -1320,12 +1322,13 @@ sub check_ct_modify_config_perm {

here there is the non-volume part that is still root-only, with no=20
comment about why that one is not switched to 'SuperUser'?

also, features for privileged containers is still root-only (should=20
probably require VM.Allocate + SuperUser, when looking at the=20
create/restore path).

>  		}
>  	    }
>  	    raise_perm_exc("changing feature flags (except nesting) is only all=
owed for root\@pam")

wrong message now

> -		if $other_changed;
> +		if $other_changed && !$is_superuser;
>  	    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Allocate'])
>  		if $nesting_changed;
>  	} elsif ($opt eq 'hookscript') {
>  	    # For now this is restricted to root@pam
> -	    raise_perm_exc("changing the hookscript is only allowed for root\@p=
am");
> +	    raise_perm_exc("changing the hookscript is only allowed for root\@p=
am")
> +		if !$is_superuser;

comment, message and code don't agree

>  	} else {
>  	    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Options=
']);
>  	}
> --=20
> 2.30.2
>=20
>=20
>=20
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>=20
>=20
>=20