[pve-devel] applied: [PATCH qemu-server] implement permission checks for cloud-init related options
Wolfgang Bumiller
w.bumiller at proxmox.com
Mon May 14 11:18:40 CEST 2018
On Thu, May 03, 2018 at 02:10:57PM +0200, Dietmar Maurer wrote:
> Most cloud-init options are network related, so we simply check
> for VM.Config.Network priviledge.
>
> Signed-off-by: Dietmar Maurer <dietmar at proxmox.com>
> ---
> PVE/API2/Qemu.pm | 11 ++++++++++-
> 1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
> index 0f27d29..cc5e8c0 100644
> --- a/PVE/API2/Qemu.pm
> +++ b/PVE/API2/Qemu.pm
> @@ -291,6 +291,15 @@ my $diskoptions = {
> 'vmstatestorage' => 1,
> };
>
> +my $cloudinitoptions = {
> + cipassword => 1,
> + citype => 1,
> + ciuser => 1,
> + nameserver => 1,
> + searchdomain => 1,
> + sshkeys => 1,
> +};
> +
> my $check_vm_modify_config_perm = sub {
> my ($rpcenv, $authuser, $vmid, $pool, $key_list) = @_;
>
> @@ -318,7 +327,7 @@ my $check_vm_modify_config_perm = sub {
> $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.PowerMgmt']);
> } elsif ($diskoptions->{$opt}) {
> $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Disk']);
> - } elsif ($opt =~ m/^(?:net|ipconfig)\d+$/) {
> + } elsif ($cloudinitoptions->{$opt} || ($opt =~ m/^(?:net|ipconfig)\d+$/)) {
> $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Network']);
> } else {
> # catches usb\d+, hostpci\d+, args, lock, etc.
> --
> 2.11.0
More information about the pve-devel
mailing list