[pve-devel] [PATCH qemu-server] restrict monitor API call to Sys.Modify

Dietmar Maurer dietmar at proxmox.com
Mon Nov 7 06:54:37 CET 2016


Not sure about this change. What if we simply change
the roles instead?

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index ea4245c..8752cc8 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -502,7 +502,6 @@ my $privgroups = {
            'VM.Allocate',
            'VM.Clone',
            'VM.Migrate',
-           'VM.Monitor',
            'VM.Snapshot',
        ],
        user => [
@@ -524,6 +523,7 @@ my $privgroups = {
            'Permissions.Modify',
            'Sys.Console',
            'Sys.Syslog',
+           'VM.Monitor',
        ],
        user => [],
        audit => [




> On November 4, 2016 at 9:42 AM Fabian Grünbichler <f.gruenbichler at proxmox.com>
> wrote:
> 
> 
> because this allows adding arbitrary devices to VMs (and
> other potentially dangerous things)
> ---
>  PVE/API2/Qemu.pm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
> index 34a5d5d..e6fbb1b 100644
> --- a/PVE/API2/Qemu.pm
> +++ b/PVE/API2/Qemu.pm
> @@ -2775,7 +2775,7 @@ __PACKAGE__->register_method({
>      proxyto => 'node',
>      description => "Execute Qemu monitor commands.",
>      permissions => {
> -	check => ['perm', '/vms/{vmid}', [ 'VM.Monitor' ]],
> +	check => ['perm', '/', [ 'Sys.Modify' ]],
>      },
>      parameters => {
>      	additionalProperties => 0,
> -- 
> 2.1.4
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel




More information about the pve-devel mailing list