[pve-devel] [RFC container 3/3] implement permission checks for feature flags

Thomas Lamprecht t.lamprecht at proxmox.com
Fri Sep 21 07:52:53 CEST 2018


On 9/19/18 3:11 PM, Wolfgang Bumiller wrote:
> On Wed, Sep 19, 2018 at 02:09:39PM +0200, Thomas Lamprecht wrote:
>> On 7/31/18 2:50 PM, Wolfgang Bumiller wrote:
>>> To disable a feature it is enough to be generally allowed
>>> to edit the configuration. Enabling a feature requires more
>>> privileges. For now: root at pam.
>>>
>>
>> While it is correct from a technical POV, it seems a bit strange from an
>> user experience POV, not sure about this.
>> E.g., I'm one of those people that often just try to toggle options for the
>> sake of it and see what happens - at least if it's nothing too important, 
>> and here I'd be quite bummed out if I had it, disabled keyctl and then my
>> unprivileged CT gets problems - no nice UX, IMO...
> 
> Not allowing to remove them works for me, too. IOW. any change there
> requires root at pam, although actually the 'keyctl' feature should only
> require the regular VM.Config permission as it's not a security critical
> change but rather disables a systemd-networkd-specific workaround.
> 

Sounds good.
Nesting could be allowed when having a combination of being able to modify
the VM config and Sys.Audit.
Mounting can have more adverse affects, so for now I'd just let it be
root at pam..



More information about the pve-devel mailing list