From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 8DF486AF9F for ; Thu, 17 Mar 2022 14:04:37 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 848664633 for ; Thu, 17 Mar 2022 14:04:37 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 7DDCD4627 for ; Thu, 17 Mar 2022 14:04:36 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 4A06C46E85 for ; Thu, 17 Mar 2022 14:04:36 +0100 (CET) Date: Thu, 17 Mar 2022 14:04:27 +0100 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= To: Proxmox VE development discussion References: <20220311112504.595964-1-o.bektas@proxmox.com> In-Reply-To: <<20220311112504.595964-1-o.bektas@proxmox.com> MIME-Version: 1.0 User-Agent: astroid/0.15.0 (https://github.com/astroidmail/astroid) Message-Id: <1647511956.jlne53t37v.astroid@nora.none> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL 0.180 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [vzdump.pm, nodes.pm, storage.pm, qemu.pm, proxmox.com, backup.pm, tfa.pm, rpcenvironment.pm, accesscontrol.pm, status.pm, config.pm, lxc.pm, acl.pm] Subject: Re: [pve-devel] [PATCH v2 access-control++ 00/12] SuperUser privilege X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Mar 2022 13:04:37 -0000 On March 11, 2022 12:24 pm, Oguz Bektas wrote: > v1->v2: > * added some basic docs still missing even though I requested this a few times already: - list of API paths that are root-only still and why/plans on how to=20 proceed there - list of other things which are root-only still and why/plans on how to=20 proceed there or alternatively, comments where it makes sense for stuff that is and=20 remains root-only intentionally (forever, or for the time being). it's really hard otherwise for me to know what was missed/not looked=20 at/skipped for $reasons which are valid/skipped for $reasons which are=20 wrong. >=20 > changes in rest of the patches are in the separate mails. >=20 > big thanks to Fabian G. for the reviews and answering my questions > throughout the series :) >=20 > it's a complicated series so if i forgot something i'm sorry! >=20 > note: all the patches on the other repositories depend on the > access-control patches to be applied and installed first >=20 > docs: Oguz Bektas (1): > pveum: add SU privilege and SA role >=20 > pveum.adoc | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) >=20 > qemu-server: Oguz Bektas (2): > api: allow SU privileged users to edit root-only options for VM > configs > api: allow 'skiplock' option to be used by SU privileged users missing in qemu-server (besides stuff noted in reply to the patches): - an unmarked shortcut in $parse_backup_hints >=20 > PVE/API2/Qemu.pm | 122 ++++++++++++++++++++++++++++------------------- > 1 file changed, 72 insertions(+), 50 deletions(-) >=20 > manager: Oguz Bektas (4): > api: backup: allow SUs to use 'tmpdir', 'dumpdir' and 'script' options > api: vzdump: allow SUs to use 'bwlimit' and 'ionice' parameters > api: update comment about login prompt for non-root users > ui: adapt sensible 'root@pam' checks to SU privilege >=20 > PVE/API2/Backup.pm | 11 ++++++++--- > PVE/API2/Nodes.pm | 2 +- > PVE/API2/VZDump.pm | 8 +++++--- > www/manager6/dc/Config.js | 2 +- > www/manager6/lxc/Options.js | 2 +- > www/manager6/lxc/Resources.js | 2 +- > www/manager6/window/Migrate.js | 4 ++-- > 7 files changed, 19 insertions(+), 12 deletions(-) >=20 > container: Oguz Bektas (1): > fix #2582: api: add checks for 'SuperUser' privilege for root-only > options >=20 > src/PVE/API2/LXC.pm | 15 +++++++-------- > src/PVE/API2/LXC/Config.pm | 2 +- > src/PVE/API2/LXC/Status.pm | 12 ++++++++---- > src/PVE/LXC.pm | 21 ++++++++++++--------- > 4 files changed, 28 insertions(+), 22 deletions(-) >=20 > storage: Oguz Bektas (1): > check_volume_access: allow superusers to pass arbitrary fs paths >=20 > PVE/Storage.pm | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) >=20 > access-control: Oguz Bektas (3): > add "SuperAdministrator" role with the new "SuperUser" privilege > api: allow superusers to edit tfa and password settings > api: acl: only allow granting SU privilege if user already has it >=20 > src/PVE/API2/ACL.pm | 9 +++++++++ > src/PVE/API2/AccessControl.pm | 6 ++++++ > src/PVE/API2/TFA.pm | 7 +++++-- > src/PVE/AccessControl.pm | 9 ++++++--- > src/PVE/RPCEnvironment.pm | 2 +- > 5 files changed, 27 insertions(+), 6 deletions(-) >=20 > --=20 > 2.30.2 >=20 >=20 > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >=20 >=20 >=20