[pve-devel] [PATCH qemu-server] implement permission checks for cloud-init related options
Dietmar Maurer
dietmar at proxmox.com
Thu May 3 14:10:57 CEST 2018
Most cloud-init options are network related, so we simply check
for VM.Config.Network priviledge.
Signed-off-by: Dietmar Maurer <dietmar at proxmox.com>
---
PVE/API2/Qemu.pm | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 0f27d29..cc5e8c0 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -291,6 +291,15 @@ my $diskoptions = {
'vmstatestorage' => 1,
};
+my $cloudinitoptions = {
+ cipassword => 1,
+ citype => 1,
+ ciuser => 1,
+ nameserver => 1,
+ searchdomain => 1,
+ sshkeys => 1,
+};
+
my $check_vm_modify_config_perm = sub {
my ($rpcenv, $authuser, $vmid, $pool, $key_list) = @_;
@@ -318,7 +327,7 @@ my $check_vm_modify_config_perm = sub {
$rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.PowerMgmt']);
} elsif ($diskoptions->{$opt}) {
$rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Disk']);
- } elsif ($opt =~ m/^(?:net|ipconfig)\d+$/) {
+ } elsif ($cloudinitoptions->{$opt} || ($opt =~ m/^(?:net|ipconfig)\d+$/)) {
$rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Network']);
} else {
# catches usb\d+, hostpci\d+, args, lock, etc.
--
2.11.0
More information about the pve-devel
mailing list