[pve-devel] [PATCH qemu-server] implement permission checks for cloud-init related options

Dietmar Maurer dietmar at proxmox.com
Thu May 3 14:10:57 CEST 2018


Most cloud-init options are network related, so we simply check
for VM.Config.Network priviledge.

Signed-off-by: Dietmar Maurer <dietmar at proxmox.com>
---
 PVE/API2/Qemu.pm | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 0f27d29..cc5e8c0 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -291,6 +291,15 @@ my $diskoptions = {
     'vmstatestorage' => 1,
 };
 
+my $cloudinitoptions = {
+    cipassword => 1,
+    citype => 1,
+    ciuser => 1,
+    nameserver => 1,
+    searchdomain => 1,
+    sshkeys => 1,
+};
+
 my $check_vm_modify_config_perm = sub {
     my ($rpcenv, $authuser, $vmid, $pool, $key_list) = @_;
 
@@ -318,7 +327,7 @@ my $check_vm_modify_config_perm = sub {
 	    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.PowerMgmt']);
 	} elsif ($diskoptions->{$opt}) {
 	    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Disk']);
-	} elsif ($opt =~ m/^(?:net|ipconfig)\d+$/) {
+	} elsif ($cloudinitoptions->{$opt} || ($opt =~ m/^(?:net|ipconfig)\d+$/)) {
 	    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Network']);
 	} else {
 	    # catches usb\d+, hostpci\d+, args, lock, etc.
-- 
2.11.0



More information about the pve-devel mailing list