From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 0F27E6DF0E for ; Mon, 28 Mar 2022 13:37:29 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id F2A7125389 for ; Mon, 28 Mar 2022 13:36:58 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 787B42537E for ; Mon, 28 Mar 2022 13:36:57 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 40D204292C for ; Mon, 28 Mar 2022 13:36:57 +0200 (CEST) Date: Mon, 28 Mar 2022 13:36:48 +0200 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= To: Fabian Ebner , pve-devel@lists.proxmox.com References: <20220321130633.62086-1-f.ebner@proxmox.com> <20220321130633.62086-2-f.ebner@proxmox.com> <159a4067-39b4-c63a-c267-189c908465c3@proxmox.com> <8f1859ba-c782-7dee-09e6-7fac1561ce74@proxmox.com> <1648109081.y13k852cx6.astroid@nora.none> In-Reply-To: MIME-Version: 1.0 User-Agent: astroid/0.15.0 (https://github.com/astroidmail/astroid) Message-Id: <1648465767.vrjikn849t.astroid@nora.none> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL 0.179 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: Re: [pve-devel] [PATCH storage 1/4] check volume access: allow if user has VM.Config.Disk X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Mar 2022 11:37:29 -0000 On March 28, 2022 11:07 am, Fabian Ebner wrote: > Am 24.03.22 um 09:18 schrieb Fabian Gr=C3=BCnbichler: >> On March 22, 2022 10:31 am, Fabian Ebner wrote: >>> Am 22.03.22 um 09:31 schrieb Fabian Ebner: >>>> Am 21.03.22 um 14:06 schrieb Fabian Ebner: >>>>> diff --git a/PVE/Storage.pm b/PVE/Storage.pm >>>>> index 6112991..efa304a 100755 >>>>> --- a/PVE/Storage.pm >>>>> +++ b/PVE/Storage.pm [..] >>>>> + } elsif (($vtype eq 'images' || $vtype eq 'rootdir') && $ownervm) { >>>>> + $rpcenv->check($user, "/vms/$ownervm", ['VM.Config.Disk']); >>>> >>>> Of course this needs to be or-ed with the Datastore.Allocate privilege= . >>>> Will fix it in v2. >>=20 >> and and-ed with Datastore.AllocateSpace? >> >=20 > I'm not sure. For clone, that's currently not checked (it's enough to > have VM.Clone and Datastore.AllocateSpace on the target storage, and I > kept it consistent with that for the proposed import-from), so it would > be a bit weird if listing the images requires it, while the actual > operation doesn't. But I don't mind adding it, if you want me to? for listing a storage's contents we also already check Datastore.Audit |=20 Datastore.AllocateSpace (as part of the API schema), but for info and=20 attribute updating we only check `check_volume_access` which would=20 mean that with your change these suddenly allow brute force listing=20 (with /vm permission, but no permissions on the storage) which=20 doesn't seem ideal. for those two API endpoints with the current version=20 of check_volume_access one of Datastore.Allocatespace, Allocate or Audit=20 (depending on volume type) is needed implicitly via check_volume_access.. basically I see two options: - extend your new branch in check_volume_access to require Datastore.X=20 (Audit or Allocatespace?) in addition to VM.Config.Disk =3D> import-from=20 would require it, info/update_attributes in the storage API would=20 require it if they take that branch - change info/update_attributes to require any of Datastore.Allocate,=20 Datastore.AllocateSpace, Datastore.Audit =3D> import-from would not=20 require them. I think I prefer the first variant, since it's internally consistent in=20 check_volume_access (all the branches check some storage priv, unless=20 the special 'we checked already and if the volume is owned by this VMID=20 it's okay' path is taken via a passed in owner $vmid) and is less=20 'pitfall-y' (w.r.t. opening brute-force code paths like the info one). we could of course think about extending it further in the direction of=20 'Datastore.Audit | Datastore.AllocateSpace' vs 'Datastore.AllocateSpace'=20 via a flag to differentiate between reading a volume and=20 writing/allocating one (and then in import-from, the source would only=20 need Audit, while the target would need AllocateSpace). but that would=20 require some more thought I think.. side-note: the check in clone_vm is a bit strange, it overrides the=20 source storage with the target storage, but not for the vmstatestorage,=20 so it basically rechecks the permissions for that single config key but=20 not for any others.. maybe we should even drop the check for=20 vmstatestorage? if it's in the config, somebody with the appropriate=20 permission put it there after all, and if a user can clone that VM all=20 the config comes with it?