[pbs-devel] [PATCH v5 proxmox-backup 14/31] api: config: Require PRIV_DATASTORE_AUDIT to modify sync job
Christian Ebner
c.ebner at proxmox.com
Fri Oct 18 10:42:25 CEST 2024
Read access to sync jobs is not granted to users not having at least
PRIV_DATASTORE_AUDIT permissions on the datastore. However a user is
able to create or modify such jobs, without having the audit
permission.
Therefore, further restrict the modify check by also including the
audit permissions.
Signed-off-by: Christian Ebner <c.ebner at proxmox.com>
---
changes since version 4:
- no changes
changes since version 3:
- not present in previous version
src/api2/config/sync.rs | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/api2/config/sync.rs b/src/api2/config/sync.rs
index b78267025..ad6ba0c85 100644
--- a/src/api2/config/sync.rs
+++ b/src/api2/config/sync.rs
@@ -45,7 +45,7 @@ pub fn check_sync_job_modify_access(
job: &SyncJobConfig,
) -> bool {
let ns_anchor_privs = user_info.lookup_privs(auth_id, &job.acl_path());
- if ns_anchor_privs & PRIV_DATASTORE_BACKUP == 0 {
+ if ns_anchor_privs & PRIV_DATASTORE_BACKUP == 0 || ns_anchor_privs & PRIV_DATASTORE_AUDIT == 0 {
return false;
}
@@ -537,7 +537,7 @@ user: write at pbs
r###"
acl:1:/datastore/localstore1:read at pbs,write at pbs:DatastoreAudit
acl:1:/datastore/localstore1:write at pbs:DatastoreBackup
-acl:1:/datastore/localstore2:write at pbs:DatastorePowerUser
+acl:1:/datastore/localstore2:write at pbs:DatastoreAudit,DatastorePowerUser
acl:1:/datastore/localstore3:write at pbs:DatastoreAdmin
acl:1:/remote/remote1:read at pbs,write at pbs:RemoteAudit
acl:1:/remote/remote1/remotestore1:write at pbs:RemoteSyncOperator
--
2.39.5
More information about the pbs-devel
mailing list