[pve-devel] [PATCH manager] fix #2771: relax cert API endpoints permissions

Fabian Grünbichler f.gruenbichler at proxmox.com
Wed Jun 17 11:42:16 CEST 2020 

allow users with Sys.Modify to modify custom or ACME certificates. those
users can already hose the system in plenty of ways, no reason to
restrict this in particular to being root at pam only.

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
 PVE/API2/ACME.pm         | 9 +++++++++
 PVE/API2/Certificates.pm | 6 ++++++
 2 files changed, 15 insertions(+)

diff --git a/PVE/API2/ACME.pm b/PVE/API2/ACME.pm
index c7d6e7e9..0decfb4a 100644
--- a/PVE/API2/ACME.pm
+++ b/PVE/API2/ACME.pm
@@ -158,6 +158,9 @@ __PACKAGE__->register_method ({
     name => 'new_certificate',
     path => 'certificate',
     method => 'POST',
+    permissions => {
+	check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+    },
     description => "Order a new certificate from ACME-compatible CA.",
     protected => 1,
     proxyto => 'node',
@@ -226,6 +229,9 @@ __PACKAGE__->register_method ({
     name => 'renew_certificate',
     path => 'certificate',
     method => 'PUT',
+    permissions => {
+	check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+    },
     description => "Renew existing certificate from CA.",
     protected => 1,
     proxyto => 'node',
@@ -303,6 +309,9 @@ __PACKAGE__->register_method ({
     name => 'revoke_certificate',
     path => 'certificate',
     method => 'DELETE',
+    permissions => {
+	check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+    },
     description => "Revoke existing certificate from CA.",
     protected => 1,
     proxyto => 'node',
diff --git a/PVE/API2/Certificates.pm b/PVE/API2/Certificates.pm
index fd75ba85..d22e203e 100644
--- a/PVE/API2/Certificates.pm
+++ b/PVE/API2/Certificates.pm
@@ -91,6 +91,9 @@ __PACKAGE__->register_method ({
     name => 'upload_custom_cert',
     path => 'custom',
     method => 'POST',
+    permissions => {
+	check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+    },
     description => 'Upload or update custom certificate chain and key.',
     protected => 1,
     proxyto => 'node',
@@ -163,6 +166,9 @@ __PACKAGE__->register_method ({
     name => 'remove_custom_cert',
     path => 'custom',
     method => 'DELETE',
+    permissions => {
+	check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+    },
     description => 'DELETE custom certificate chain and key.',
     protected => 1,
     proxyto => 'node',
-- 
2.20.1

More information about the pve-devel mailing list