[pve-devel] [PATCH v4 docs 18/18] pveum: add SU privilege and SA role

Fabian Grünbichler f.gruenbichler at proxmox.com
Wed Jul 27 11:08:10 CEST 2022 

On June 2, 2022 9:24 am, Oguz Bektas wrote:
> with some warnings about imposed restrictions and the danger of giving
> this role/privilege to untrusted users.

this should probably have a warning about giving whole groups SuperUser 
privileges, since anybody able to add users to that group (which does 
not require SU) can give themselves SU that way. unfortunately groups 
are not a proper entity that we can query privs for, so this is hard to 
check/guard against reliably/in a future proof fashion.

something like this maybe?

 Be careful to restrict access to groups with `SuperUser` privileges - 
 anybody who can modify such a group can give themselves `SuperUser` 
 access, without the group modification itself requiring it!

> 
> Suggested-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
> ---
>  pveum.adoc | 14 +++++++++++++-
>  1 file changed, 13 insertions(+), 1 deletion(-)
> 
> diff --git a/pveum.adoc b/pveum.adoc
> index 840067e..8067984 100644
> --- a/pveum.adoc
> +++ b/pveum.adoc
> @@ -705,7 +705,11 @@ Roles
>  A role is simply a list of privileges. Proxmox VE comes with a number
>  of predefined roles, which satisfy most requirements.
>  
> -* `Administrator`: has full privileges
> +* `SuperAdministrator`: has **full** privileges including `SuperUser`
> +* `Administrator`: has all privileges **except** `SuperUser`
> +
> +NOTE: `SuperAdministrator` role is equivalent to 'root at pam'! Do not give this role to untrusted users.

should be warning likely?

> +
>  * `NoAccess`: has no privileges (used to forbid access)
>  * `PVEAdmin`: can do most tasks, but has no rights to modify system settings (`Sys.PowerMgmt`, `Sys.Modify`, `Realm.Allocate`)
>  * `PVEAuditor`: has read only access
> @@ -748,6 +752,14 @@ We currently support the following privileges:
>  
>  Node / System related privileges::
>  
> +* `SuperUser`: modify root-only configuration options (warning! **do
> +not give this privilege to untrusted users**)

should be a proper warning? and, as discussed, `SuperUser` should be its 
own section (also, the warnings/notes would look weird otherwise/break 
formatting).

> +
> +NOTE: `SuperUser` privilege by itself does not equal the access level of 'root at pam'.
> +
> +NOTE: Certain actions on users with the `SuperUser` privilege are restricted to others
> +with `SuperUser`, i.e. changing their password or two-factor-authentication settings
> +
>  * `Permissions.Modify`: modify access permissions
>  * `Sys.PowerMgmt`: node power management (start, stop, reset, shutdown, ...)
>  * `Sys.Console`: console access to node
> -- 
> 2.30.2
> 
>

More information about the pve-devel mailing list