From: Oguz Bektas <o.bektas@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH container 3/4] fix #2582: api: use common helper for checking root privileges
Date: Wed, 5 Jan 2022 16:22:14 +0100 [thread overview]
Message-ID: <20220105152215.1307583-4-o.bektas@proxmox.com> (raw)
In-Reply-To: <20220105152215.1307583-1-o.bektas@proxmox.com>
we just check if the authenticated user has the 'Sys.Root' privilege on
a given path and set the $is_root variable accordingly if so.
tagged as fix for #2582 since with this series the usecase on the
bugreport should be fulfilled.
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
---
src/PVE/API2/LXC.pm | 2 +-
src/PVE/LXC.pm | 9 ++++++---
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm
index 7573814..64ecc5f 100644
--- a/src/PVE/API2/LXC.pm
+++ b/src/PVE/API2/LXC.pm
@@ -295,7 +295,7 @@ __PACKAGE__->register_method({
my $conf = {};
- my $is_root = $authuser eq 'root@pam';
+ my $is_root = PVE::Tools::check_for_root("/vms");
my $no_disk_param = {};
my $mp_param = {};
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index b07d986..1844b04 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -1254,7 +1254,9 @@ sub template_create {
sub check_ct_modify_config_perm {
my ($rpcenv, $authuser, $vmid, $pool, $oldconf, $newconf, $delete, $unprivileged) = @_;
- return 1 if $authuser eq 'root@pam';
+ my $is_root = PVE::Tools::check_for_root("/vms/$vmid");
+ return 1 if $is_root;
+
my $storage_cfg = PVE::Storage::config();
my $check = sub {
@@ -1320,12 +1322,13 @@ sub check_ct_modify_config_perm {
}
}
raise_perm_exc("changing feature flags (except nesting) is only allowed for root\@pam")
- if $other_changed;
+ if $other_changed && !$is_root;
$rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Allocate'])
if $nesting_changed;
} elsif ($opt eq 'hookscript') {
# For now this is restricted to root@pam
- raise_perm_exc("changing the hookscript is only allowed for root\@pam");
+ raise_perm_exc("changing the hookscript is only allowed for root\@pam")
+ if !$is_root;
} else {
$rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Options']);
}
--
2.30.2
next prev parent reply other threads:[~2022-01-05 15:22 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-05 15:22 [pve-devel] [RFC access-control common container qemu-server 0/4] #2582: Sys.Root privilege Oguz Bektas
2022-01-05 15:22 ` [pve-devel] [RFC access-control 1/4] add " Oguz Bektas
2022-01-05 15:22 ` [pve-devel] [RFC common 2/4] tools: add 'check_for_root' helper Oguz Bektas
2022-01-10 13:45 ` Fabian Grünbichler
2022-01-05 15:22 ` Oguz Bektas [this message]
2022-01-05 15:22 ` [pve-devel] [RFC qemu-server 4/4] api: use common helper for checking root privileges Oguz Bektas
2022-01-10 13:45 ` Fabian Grünbichler
2022-01-10 13:45 ` [pve-devel] [RFC access-control common container qemu-server 0/4] #2582: Sys.Root privilege Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220105152215.1307583-4-o.bektas@proxmox.com \
--to=o.bektas@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox