[pve-devel] [PATCH storage 1/4] check volume access: allow if user has VM.Config.Disk

Fabian Grünbichler f.gruenbichler at proxmox.com
Mon Mar 28 13:36:48 CEST 2022


On March 28, 2022 11:07 am, Fabian Ebner wrote:
> Am 24.03.22 um 09:18 schrieb Fabian Grünbichler:
>> On March 22, 2022 10:31 am, Fabian Ebner wrote:
>>> Am 22.03.22 um 09:31 schrieb Fabian Ebner:
>>>> Am 21.03.22 um 14:06 schrieb Fabian Ebner:
>>>>> diff --git a/PVE/Storage.pm b/PVE/Storage.pm
>>>>> index 6112991..efa304a 100755
>>>>> --- a/PVE/Storage.pm
>>>>> +++ b/PVE/Storage.pm

[..]

>>>>> +	} elsif (($vtype eq 'images' || $vtype eq 'rootdir') && $ownervm) {
>>>>> +	    $rpcenv->check($user, "/vms/$ownervm", ['VM.Config.Disk']);
>>>>
>>>> Of course this needs to be or-ed with the Datastore.Allocate privilege.
>>>> Will fix it in v2.
>> 
>> and and-ed with Datastore.AllocateSpace?
>>
> 
> I'm not sure. For clone, that's currently not checked (it's enough to
> have VM.Clone and Datastore.AllocateSpace on the target storage, and I
> kept it consistent with that for the proposed import-from), so it would
> be a bit weird if listing the images requires it, while the actual
> operation doesn't. But I don't mind adding it, if you want me to?

for listing a storage's contents we also already check Datastore.Audit | 
Datastore.AllocateSpace (as part of the API schema), but for info and 
attribute updating we only check `check_volume_access` which would 
mean that with your change these suddenly allow brute force listing 
(with /vm permission, but no permissions on the storage) which 
doesn't seem ideal. for those two API endpoints with the current version 
of check_volume_access one of Datastore.Allocatespace, Allocate or Audit 
(depending on volume type) is needed implicitly via check_volume_access..

basically I see two options:
- extend your new branch in check_volume_access to require Datastore.X 
  (Audit or Allocatespace?) in addition to VM.Config.Disk => import-from 
  would require it, info/update_attributes in the storage API would 
  require it if they take that branch
- change info/update_attributes to require any of Datastore.Allocate, 
  Datastore.AllocateSpace, Datastore.Audit => import-from would not 
  require them.

I think I prefer the first variant, since it's internally consistent in 
check_volume_access (all the branches check some storage priv, unless 
the special 'we checked already and if the volume is owned by this VMID 
it's okay' path is taken via a passed in owner $vmid) and is less 
'pitfall-y' (w.r.t. opening brute-force code paths like the info one).

we could of course think about extending it further in the direction of 
'Datastore.Audit | Datastore.AllocateSpace' vs 'Datastore.AllocateSpace' 
via a flag to differentiate between reading a volume and 
writing/allocating one (and then in import-from, the source would only 
need Audit, while the target would need AllocateSpace). but that would 
require some more thought I think..

side-note: the check in clone_vm is a bit strange, it overrides the 
source storage with the target storage, but not for the vmstatestorage, 
so it basically rechecks the permissions for that single config key but 
not for any others.. maybe we should even drop the check for 
vmstatestorage? if it's in the config, somebody with the appropriate 
permission put it there after all, and if a user can clone that VM all 
the config comes with it?





More information about the pve-devel mailing list