From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 3ABF08B63 for ; Wed, 16 Nov 2022 15:18:00 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 1D5B720A33 for ; Wed, 16 Nov 2022 15:18:00 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Wed, 16 Nov 2022 15:17:59 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id D601A44D75 for ; Wed, 16 Nov 2022 15:17:58 +0100 (CET) Message-ID: Date: Wed, 16 Nov 2022 15:17:57 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.0 Content-Language: en-US To: Thomas Lamprecht , Proxmox VE development discussion References: <20221103130423.52460-1-l.nunner@proxmox.com> <20221103130423.52460-2-l.nunner@proxmox.com> <7b22b115-875a-6600-e4bf-011084941240@proxmox.com> From: Leo Nunner In-Reply-To: <7b22b115-875a-6600-e4bf-011084941240@proxmox.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: =?UTF-8?Q?0=0A=09?=AWL -0.104 Adjusted score from AWL reputation of From: =?UTF-8?Q?address=0A=09?=BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict =?UTF-8?Q?Alignment=0A=09?=NICE_REPLY_A -0.001 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF =?UTF-8?Q?Record=0A=09?=SPF_PASS -0.001 SPF: sender matches SPF =?UTF-8?Q?record=0A=09?=URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [drive.pm, qemu.pm, proxmox.com] Subject: Re: [pve-devel] [PATCH qemu-server 1/1] fix #4321: properly check cloud-init drive permissions X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Nov 2022 14:18:00 -0000 On 2022-11-16 13:15, Thomas Lamprecht wrote: > Am 03/11/2022 um 14:04 schrieb Leo Nunner: >> The process for editing cloud-init drives checked for inconsistent >> permissions: for adding, the VM.Config.Disk permission was needed, while >> the VM.Config.CDROM permission was needed to remove a drive. The regex >> in drive_is_cloudinit needed to be adapted since the drive names have >> different formats before/after they are actually generated. Furthermore, >> the VM.Config.Cloudinit permission should be required to edit >> cloud-init drives. >> >> Signed-off-by: Leo Nunner >> --- >> PVE/API2/Qemu.pm | 6 ++++-- >> PVE/QemuServer/Drive.pm | 2 +- >> 2 files changed, 5 insertions(+), 3 deletions(-) >> >> diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm >> index 3ec31c2..cacd233 100644 >> --- a/PVE/API2/Qemu.pm >> +++ b/PVE/API2/Qemu.pm >> @@ -1512,11 +1512,13 @@ my $update_vm_api = sub { >> my $check_drive_perms = sub { >> my ($opt, $val) = @_; >> my $drive = PVE::QemuServer::parse_drive($opt, $val, 1); >> - # FIXME: cloudinit: CDROM or Disk? >> - if (PVE::QemuServer::drive_is_cdrom($drive)) { # CDROM >> + if(PVE::QemuServer::drive_is_cloudinit($drive)) { > missing white after `if` > >> + $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Cloudinit', 'VM.Config.Disk']); > while I don't think that the perm change is problematic w.r.t. backward compat > in practice, it seems a bit odd to argue for disk only, maybe we need to also > check for CDROM, as cloudinit *adds* a cdrom drive, so it may required that too. > > But, to decide that I wanted to check our privilege docs, only to notice that we > do not mention the cloudinit one there at all, not great... > > https://pve.proxmox.com/pve-docs/chapter-pveum.html#_privileges > > Please check the dev history to see if Cloudinit is deemed enough to add the CDROM > or if we should add that priv to the check too, then re-send this with updated > commit message, the whitespace fixes and a docs patch. > AFAICT, VM.Config.Cloudinit seems to have been introduced solely to set cloudinit options in the config itself [1], so I don't think it should be the only requirement for adding cloudinit drives. I agree though, now that I think about it, solely checking for VM.Config.Disk as an added requirement doesn't make much sense; the only reason why it checked for this permission in the first place was that the string for cloudinit drives fell through the regex in drive_is_cdrom before being generated, and was thus being seen as a disk, not a CDROM drive. So, for backwards-compatibility purposes, I guess VM.Config.Cloudinit && (VM.Config.Disk || VM.Config.CDROM) would make the most sense. [1] https://git.proxmox.com/?p=qemu-server.git;a=commit;h=fc701af7406336d18e4f20d61010c7de69fdd9f1