From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 929F7882C2 for ; Wed, 5 Jan 2022 16:22:23 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 895FCA8E3 for ; Wed, 5 Jan 2022 16:22:23 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 5FC7BA8CE for ; Wed, 5 Jan 2022 16:22:22 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 31CCA46B6C for ; Wed, 5 Jan 2022 16:22:22 +0100 (CET) From: Oguz Bektas To: pve-devel@lists.proxmox.com Date: Wed, 5 Jan 2022 16:22:11 +0100 Message-Id: <20220105152215.1307583-1-o.bektas@proxmox.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.647 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [qemu.pm, accesscontrol.pm, tools.pm, lxc.pm] Subject: [pve-devel] [RFC access-control common container qemu-server 0/4] #2582: Sys.Root privilege X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jan 2022 15:22:23 -0000 sending this in as RFC, because i think it needs a bit of ironing out and discussing the quirky bits ;) i'm not done with pve-manager patch so that'll come with the v1, though API should work for testing the changes. it probably makes sense to also add a helper there, since at the moment we only check if Proxmox.UserName === 'root@pam' or in some cases specific permissions for storage and so forth, in order to decide whether to show/enable some GUI elements. container API already works pretty well. VM API should also work but i haven't tested this extensively w.r.t. storage and migration. some questions that popped up in my head: + should adding 'Sys.Root' privilege to a user give them all available privileges on that path? this would make sense as having a root-equivalent privilege should be already enough (otherwise it doesn't have much of a point?). since at some places we have things like: ------- } elsif ($target_vmid) { $rpcenv->check_vm_perm($authuser, $target_vmid, undef, ['VM.Config.Disk']) - if $authuser ne 'root@pam'; + if !$is_root; ------- where one could theoretically have root-eq privs but not the 'VM.Config.Disk' for the target vm... + $authuser could also be an (optional?) parameter for the helper in PVE::Tools, so that we could check arbitrary users and not only the current one. also on most of these we already call $rpcenv->get_user() before doing the check, so we could spare that call inside the helper if we do that consistently. + would it make sense to be able to give 'Sys.Root' on a single node (like on /nodes/foo instead of the whole cluster)? this seemed like a rabbithole to me since we'd have to lock down quite a bit of stuff to limit movement from one cluster member to the other, without any(?) worthwhile benefits? or might make sense to just allow 'Sys.Root' to be given on '/' (since it should be equivalent to root@pam anyway) + should root@pam have 'Sys.Root' by default? or does it make sense to still differentiate the "real" root user and the "impersonated" one? pve-access-control: Oguz Bektas (1): add Sys.Root privilege src/PVE/AccessControl.pm | 1 + 1 file changed, 1 insertion(+) pve-common: Oguz Bektas (1): tools: add 'check_for_root' helper src/PVE/Tools.pm | 9 +++++++++ 1 file changed, 9 insertions(+) pve-container: Oguz Bektas (1): fix #2582: api: use common helper for checking root privileges src/PVE/API2/LXC.pm | 5 ++--- src/PVE/LXC.pm | 8 +++++--- 2 files changed, 7 insertions(+), 6 deletions(-) qemu-server: Oguz Bektas (1): api: use common helper for checking root privileges PVE/API2/Qemu.pm | 74 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 49 insertions(+), 25 deletions(-) -- 2.30.2