[pve-devel] [PATCH container] document bind/device mp permissions better
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Dec 13 12:14:28 CET 2016
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
note: no functional change, just better error message and a note
in the api documentation / viewer
src/PVE/API2/LXC/Config.pm | 1 +
src/PVE/LXC.pm | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/PVE/API2/LXC/Config.pm b/src/PVE/API2/LXC/Config.pm
index fd6178b..e3909a3 100644
--- a/src/PVE/API2/LXC/Config.pm
+++ b/src/PVE/API2/LXC/Config.pm
@@ -72,6 +72,7 @@ __PACKAGE__->register_method({
description => "Set container options.",
permissions => {
check => ['perm', '/vms/{vmid}', $vm_config_perm_list, any => 1],
+ description => 'non-volume mount points in rootfs and mp[n] are restricted to root at pam',
},
parameters => {
additionalProperties => 0,
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 810fae5..8fa03f1 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -897,7 +897,8 @@ sub check_ct_modify_config_perm {
return if $delete;
my $data = $opt eq 'rootfs' ? PVE::LXC::Config->parse_ct_rootfs($newconf->{$opt})
: PVE::LXC::Config->parse_ct_mountpoint($newconf->{$opt});
- raise_perm_exc("mount point type $data->{type}") if $data->{type} ne 'volume';
+ raise_perm_exc("mount point type $data->{type} is only allowed for root\@pam")
+ if $data->{type} ne 'volume';
} elsif ($opt eq 'memory' || $opt eq 'swap') {
$rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Memory']);
} elsif ($opt =~ m/^net\d+$/ || $opt eq 'nameserver' ||
--
2.1.4
More information about the pve-devel
mailing list