[pve-devel] firewall permissions / network permissions

Dietmar Maurer dietmar at proxmox.com
Thu Oct 20 17:13:01 CEST 2016


> A firewall change is simple sysadmin task. But in worst case a user can
> deaktivate the ip/mac spoofing or connect to another bridge.
> In our case we have some windows vms to mange the cluster and network. They
> have access to another bridge which is connected to the internal network. Any
> user who needs the right to simply change some firewall rules can add or
> change the network device to that bridge. Thats a big security problem.

sounds reasonable to me. 


> Is very difficult to add new priviledges?


not really. It just work...




More information about the pve-devel mailing list