[pve-devel] [RFC common 2/4] tools: add 'check_for_root' helper

Fabian Grünbichler f.gruenbichler at proxmox.com
Mon Jan 10 14:45:18 CET 2022


On January 5, 2022 4:22 pm, Oguz Bektas wrote:
> checks if the rpcenv user is 'root at pam' or has the 'Sys.Root' privilege
> on a given API path
> 
> Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
> ---
>  src/PVE/Tools.pm | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/src/PVE/Tools.pm b/src/PVE/Tools.pm
> index 787942a..3e2e7f9 100644
> --- a/src/PVE/Tools.pm
> +++ b/src/PVE/Tools.pm
> @@ -2017,4 +2017,13 @@ sub get_file_hash {
>      return lc($digest);
>  }
>  
> +sub check_for_root {
> +    my ($path_to_check) = @_;
> +
> +    my $rpcenv = PVE::RPCEnvironment::get();
> +    my $authuser = $rpcenv->get_user();
> +    my $is_root = $authuser eq 'root at pam' || $rpcenv->check($authuser, $path_to_check, ['Sys.Root'], 1);
> +    return $is_root;
> +}

this is in the wrong place (pve-common is not concerned with 
access-control), move it to RPCEnvironment if kept.

this is only needed for the short-cut of not actually checking privs for 
the 'root at pam' user, since 'root at pam' by definition has 'Sys.Root' on 
all paths - so not sure whether the helper is necessary at all.

we don't have that many places limited to 'root at pam', so not sure 
whether simply doing:

# no short-cut
$rpcenv->check($authuser, $path_to_check, ['Sys.Root']);

or

# short-cut for user if in hot path somehow
$rpcenv->check($authuser, $path_to_check, ['Sys.Root'])
    if $authuser ne 'root at pam';

is not sufficient? it seems to be very short compared to the other 
helpers we have in PVE::RPCEnvironment ;)

> +
>  1;
> -- 
> 2.30.2
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 




More information about the pve-devel mailing list