From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id ACBF361E20 for ; Thu, 10 Feb 2022 16:29:39 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 975E11F124 for ; Thu, 10 Feb 2022 16:29:09 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id D43621F11B for ; Thu, 10 Feb 2022 16:29:05 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id A6A9946DCB for ; Thu, 10 Feb 2022 16:29:05 +0100 (CET) Date: Thu, 10 Feb 2022 16:28:58 +0100 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= To: Proxmox VE development discussion References: <20220208131011.752134-1-o.bektas@proxmox.com> In-Reply-To: <20220208131011.752134-1-o.bektas@proxmox.com> MIME-Version: 1.0 User-Agent: astroid/0.15.0 (https://github.com/astroidmail/astroid) Message-Id: <1644505944.9c8vw9wejc.astroid@nora.none> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL 0.194 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [status.pm, rpcenvironment.pm, lxc.pm, tfa.pm, accesscontrol.pm, proxmox.com, qemu.pm] Subject: Re: [pve-devel] [PATCH v1 access-control++ 0/5] SuperUser privilege X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2022 15:29:39 -0000 see individual patches for in-depth review of changes, some broader=20 remarks: - I am missing info about parts you looked at but left as-is (and=20 rationale for why those parts stay root only) - especially relevant would be a list of currently=20 unqualified/root-only-by-default API endpoints and actions taken or=20 not taken + reasons e.g. some parts that are missing that I found with random grepping (in=20 addition to stuff I mentioned in my other replies), where I have no idea=20 whether you even look at them and decided they are okay as-is, or missed=20 them: - PVE::API2::Backup (tmpdir, dumpdir, script parameters) - PVE::API2::VZDump (maxfiles prune-backups tmpdir dumpdir script bwlimit i= onice) - PVE::API2::ClusterConfig (we talked about that off-list, but some=20 mention in the actual patch series would still be good) - PVE::Storage::check_volume_access , which is used in quite a few=20 places.. On February 8, 2022 2:10 pm, Oguz Bektas wrote: > "SuperUser" (henceforth referred as SU) privilege allows to give > root-only permissions to API users, enabling them to perform privileged > actions on behalf of root@pam. >=20 > this privilege is enabled by default for "root@pam", and also mapped > inside "SuperAdministrator" (referred as SA) >=20 > changes from RFC (thanks for the review fabian g.!): > * manager: allow SAs to see/edit certain things on GUI > * qemu-server: also check the required non-root > VM privileges along with the SU priv > * pve-container: adapted error messages, changed variable name to > "is_superuser" for better clarity (in comparison to prev. "is_root" > which is a bit confusing) > * access-control: TFA permissions adaptation for SAs >=20 >=20 > access-control: >=20 > Oguz Bektas (2): > add "SuperAdministrator" role with the new "SuperUser" privilege > tfa: allow superusers to edit root@pam tfa >=20 > src/PVE/API2/TFA.pm | 7 +++++-- > src/PVE/AccessControl.pm | 9 ++++++--- > src/PVE/RPCEnvironment.pm | 2 +- > 3 files changed, 12 insertions(+), 6 deletions(-) >=20 > container: >=20 > Oguz Bektas (1): > fix #2582: api: add checks for 'SuperUser' privilege for root-only > options >=20 > src/PVE/API2/LXC.pm | 13 ++++++------- > src/PVE/API2/LXC/Status.pm | 8 ++++++-- > src/PVE/LXC.pm | 9 ++++++--- > 3 files changed, 18 insertions(+), 12 deletions(-) >=20 > manager: >=20 > Oguz Bektas (1): > change 'root@pam' checks with 'SuperUser' capability check >=20 > www/manager6/Utils.js | 3 ++- > www/manager6/dc/Config.js | 2 +- > www/manager6/dc/UserView.js | 2 +- > www/manager6/lxc/Options.js | 2 +- > www/manager6/lxc/Resources.js | 2 +- > www/manager6/node/Config.js | 2 +- > www/manager6/window/Migrate.js | 4 ++-- > 7 files changed, 9 insertions(+), 8 deletions(-) >=20 > qemu-server: >=20 > Oguz Bektas (1): > add SuperUser privilege checks for root-only options >=20 > PVE/API2/Qemu.pm | 119 +++++++++++++++++++++++++++++------------------ > 1 file changed, 73 insertions(+), 46 deletions(-) >=20 > --=20 > 2.30.2 >=20 >=20 > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >=20 >=20 >=20