[pve-devel] applied: [PATCH qemu-server] implement permission checks for cloud-init related options

Wolfgang Bumiller w.bumiller at proxmox.com
Mon May 14 11:18:40 CEST 2018


On Thu, May 03, 2018 at 02:10:57PM +0200, Dietmar Maurer wrote:
> Most cloud-init options are network related, so we simply check
> for VM.Config.Network priviledge.
> 
> Signed-off-by: Dietmar Maurer <dietmar at proxmox.com>
> ---
>  PVE/API2/Qemu.pm | 11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
> index 0f27d29..cc5e8c0 100644
> --- a/PVE/API2/Qemu.pm
> +++ b/PVE/API2/Qemu.pm
> @@ -291,6 +291,15 @@ my $diskoptions = {
>      'vmstatestorage' => 1,
>  };
>  
> +my $cloudinitoptions = {
> +    cipassword => 1,
> +    citype => 1,
> +    ciuser => 1,
> +    nameserver => 1,
> +    searchdomain => 1,
> +    sshkeys => 1,
> +};
> +
>  my $check_vm_modify_config_perm = sub {
>      my ($rpcenv, $authuser, $vmid, $pool, $key_list) = @_;
>  
> @@ -318,7 +327,7 @@ my $check_vm_modify_config_perm = sub {
>  	    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.PowerMgmt']);
>  	} elsif ($diskoptions->{$opt}) {
>  	    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Disk']);
> -	} elsif ($opt =~ m/^(?:net|ipconfig)\d+$/) {
> +	} elsif ($cloudinitoptions->{$opt} || ($opt =~ m/^(?:net|ipconfig)\d+$/)) {
>  	    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Network']);
>  	} else {
>  	    # catches usb\d+, hostpci\d+, args, lock, etc.
> -- 
> 2.11.0



More information about the pve-devel mailing list