Re: [pve-devel] [PATCH storage 1/4] check volume access: allow if user has VM.Config.Disk

["Fabian Grünbichler" <f.gruenbichler@proxmox.com>]

On March 29, 2022 9:48 am, Fabian Ebner wrote:
> Am 28.03.22 um 13:36 schrieb Fabian Grünbichler:
>> On March 28, 2022 11:07 am, Fabian Ebner wrote:
>>> Am 24.03.22 um 09:18 schrieb Fabian Grünbichler:
>>>> On March 22, 2022 10:31 am, Fabian Ebner wrote:
>>>>> Am 22.03.22 um 09:31 schrieb Fabian Ebner:
>>>>>> Am 21.03.22 um 14:06 schrieb Fabian Ebner:
>>>>>>> diff --git a/PVE/Storage.pm b/PVE/Storage.pm
>>>>>>> index 6112991..efa304a 100755
>>>>>>> --- a/PVE/Storage.pm
>>>>>>> +++ b/PVE/Storage.pm
>> 
>> [..]
>> 
>>>>>>> +	} elsif (($vtype eq 'images' || $vtype eq 'rootdir') && $ownervm) {
>>>>>>> +	    $rpcenv->check($user, "/vms/$ownervm", ['VM.Config.Disk']);
>>>>>>
>>>>>> Of course this needs to be or-ed with the Datastore.Allocate privilege.
>>>>>> Will fix it in v2.
>>>>
>>>> and and-ed with Datastore.AllocateSpace?
>>>>
>>>
>>> I'm not sure. For clone, that's currently not checked (it's enough to
>>> have VM.Clone and Datastore.AllocateSpace on the target storage, and I
>>> kept it consistent with that for the proposed import-from), so it would
>>> be a bit weird if listing the images requires it, while the actual
>>> operation doesn't. But I don't mind adding it, if you want me to?
>> 
>> for listing a storage's contents we also already check Datastore.Audit | 
>> Datastore.AllocateSpace (as part of the API schema), but for info and 
>> attribute updating we only check `check_volume_access` which would 
>> mean that with your change these suddenly allow brute force listing 
>> (with /vm permission, but no permissions on the storage) which 
>> doesn't seem ideal. for those two API endpoints with the current version 
>> of check_volume_access one of Datastore.Allocatespace, Allocate or Audit 
>> (depending on volume type) is needed implicitly via check_volume_access..
>> 
>> basically I see two options:
>> - extend your new branch in check_volume_access to require Datastore.X 
>>   (Audit or Allocatespace?) in addition to VM.Config.Disk => import-from 
>>   would require it, info/update_attributes in the storage API would 
>>   require it if they take that branch
>> - change info/update_attributes to require any of Datastore.Allocate, 
>>   Datastore.AllocateSpace, Datastore.Audit => import-from would not 
>>   require them.
> 
> import-from in its current form doesn't use check_volume_access() for
> the source volume if it belongs to a VM, but requires VM.Clone. Just
> like the clone_vm API call. So it's not import-from itself that would
> require different things depending on the variant we choose, but e.g.
> listing images for import-from in the UI.

yeah, I meant the GUI when talking about import-from, sorry for not 
being explicit.

>> I think I prefer the first variant, since it's internally consistent in 
>> check_volume_access (all the branches check some storage priv, unless 
>> the special 'we checked already and if the volume is owned by this VMID 
>> it's okay' path is taken via a passed in owner $vmid) and is less 
>> 'pitfall-y' (w.r.t. opening brute-force code paths like the info one).
> 
> I also prefer the first variant, but it can lead to a case where I
> cannot - via UI, to a target storage I have access to - import-from a
> single disk of a VM (just because I cannot list the image), but can
> clone the whole VM to the same target storage.

I think that's fine, we have plenty of areas where the backend allows 
more then the GUI offers ;) granted, most of that is root@pam only, but 
there is stuff like the GUI doesn't allow adding a 'foreign' disk to a 
VM, while the backend has no issue with that as long as you satisfy the 
priv checks. just because cloning and importing are similar and share 
some checks doesn't mean they are the same after all, so that the one 
with more flexibility (import) doesn't have all the options on the GUI 
(at least from the get-go) is not much of a surprise.

we could get around the limitation by offering another level of selector 
'source type'
- storage -> select storage -> list all accessible volumes on storage 
  (storage priv required)
- VM -> select VMID -> list all volumes referenced in VM config (no 
  storage priv required, just VM access)
- manual -> freeform entry (priv required depends on value)

that being said, only showing those disks where the user has full list 
permissions on the storage (+ some level of access to the VM config) 
sounds like a good compromise that will work in almost all cases - users 
that have Clone/VM.Allocate usually also have storage access ;)

>> we could of course think about extending it further in the direction of 
>> 'Datastore.Audit | Datastore.AllocateSpace' vs 'Datastore.AllocateSpace' 
>> via a flag to differentiate between reading a volume and 
>> writing/allocating one (and then in import-from, the source would only 
>> need Audit, while the target would need AllocateSpace). but that would 
>> require some more thought I think..
>> 
>> side-note: the check in clone_vm is a bit strange, it overrides the 
>> source storage with the target storage, but not for the vmstatestorage, 
>> so it basically rechecks the permissions for that single config key but 
>> not for any others.. maybe we should even drop the check for 
>> vmstatestorage? if it's in the config, somebody with the appropriate 
>> permission put it there after all, and if a user can clone that VM all 
>> the config comes with it?
> I'm not opposed to dropping that either. It's not like it changes the
> fact that the user can create state images on that storage (assuming the
> VM.Snapshot permission is not only granted for the clone's ID or
> something, but those are edge-cases worth ignoring IMHO).