[pve-devel] [PATCH v2 storage 09/12] check_volume_access: allow superusers to pass arbitrary fs paths

Oguz Bektas o.bektas at proxmox.com
Fri Mar 11 12:25:01 CET 2022


Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
---
 PVE/Storage.pm | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/PVE/Storage.pm b/PVE/Storage.pm
index b1d31bb..762933f 100755
--- a/PVE/Storage.pm
+++ b/PVE/Storage.pm
@@ -467,6 +467,11 @@ sub parse_volume_id {
 sub check_volume_access {
     my ($rpcenv, $user, $cfg, $vmid, $volid) = @_;
 
+    return if $user eq 'root at pam'; # root at pam always OK
+
+    # SU on "/" are needed for passing arbitrary filesystem paths
+    my $is_superuser = $rpcenv->check($user, "/", ['SuperUser'], 1);
+
     my ($sid, $volname) = parse_volume_id($volid, 1);
     if ($sid) {
 	my ($vtype, undef, $ownervm) = parse_volname($cfg, $volid);
@@ -483,8 +488,8 @@ sub check_volume_access {
 	    $rpcenv->check($user, "/storage/$sid", ['Datastore.Allocate']);
 	}
     } else {
-	die "Only root can pass arbitrary filesystem paths."
-	    if $user ne 'root at pam';
+	die "Only superusers can pass arbitrary filesystem paths."
+	    if !$is_superuser;
     }
 
     return undef;
-- 
2.30.2






More information about the pve-devel mailing list