[pve-devel] [PATCH storage 1/4] check volume access: allow if user has VM.Config.Disk
Fabian Grünbichler
f.gruenbichler at proxmox.com
Mon Mar 28 13:36:48 CEST 2022
On March 28, 2022 11:07 am, Fabian Ebner wrote:
> Am 24.03.22 um 09:18 schrieb Fabian Grünbichler:
>> On March 22, 2022 10:31 am, Fabian Ebner wrote:
>>> Am 22.03.22 um 09:31 schrieb Fabian Ebner:
>>>> Am 21.03.22 um 14:06 schrieb Fabian Ebner:
>>>>> diff --git a/PVE/Storage.pm b/PVE/Storage.pm
>>>>> index 6112991..efa304a 100755
>>>>> --- a/PVE/Storage.pm
>>>>> +++ b/PVE/Storage.pm
[..]
>>>>> + } elsif (($vtype eq 'images' || $vtype eq 'rootdir') && $ownervm) {
>>>>> + $rpcenv->check($user, "/vms/$ownervm", ['VM.Config.Disk']);
>>>>
>>>> Of course this needs to be or-ed with the Datastore.Allocate privilege.
>>>> Will fix it in v2.
>>
>> and and-ed with Datastore.AllocateSpace?
>>
>
> I'm not sure. For clone, that's currently not checked (it's enough to
> have VM.Clone and Datastore.AllocateSpace on the target storage, and I
> kept it consistent with that for the proposed import-from), so it would
> be a bit weird if listing the images requires it, while the actual
> operation doesn't. But I don't mind adding it, if you want me to?
for listing a storage's contents we also already check Datastore.Audit |
Datastore.AllocateSpace (as part of the API schema), but for info and
attribute updating we only check `check_volume_access` which would
mean that with your change these suddenly allow brute force listing
(with /vm permission, but no permissions on the storage) which
doesn't seem ideal. for those two API endpoints with the current version
of check_volume_access one of Datastore.Allocatespace, Allocate or Audit
(depending on volume type) is needed implicitly via check_volume_access..
basically I see two options:
- extend your new branch in check_volume_access to require Datastore.X
(Audit or Allocatespace?) in addition to VM.Config.Disk => import-from
would require it, info/update_attributes in the storage API would
require it if they take that branch
- change info/update_attributes to require any of Datastore.Allocate,
Datastore.AllocateSpace, Datastore.Audit => import-from would not
require them.
I think I prefer the first variant, since it's internally consistent in
check_volume_access (all the branches check some storage priv, unless
the special 'we checked already and if the volume is owned by this VMID
it's okay' path is taken via a passed in owner $vmid) and is less
'pitfall-y' (w.r.t. opening brute-force code paths like the info one).
we could of course think about extending it further in the direction of
'Datastore.Audit | Datastore.AllocateSpace' vs 'Datastore.AllocateSpace'
via a flag to differentiate between reading a volume and
writing/allocating one (and then in import-from, the source would only
need Audit, while the target would need AllocateSpace). but that would
require some more thought I think..
side-note: the check in clone_vm is a bit strange, it overrides the
source storage with the target storage, but not for the vmstatestorage,
so it basically rechecks the permissions for that single config key but
not for any others.. maybe we should even drop the check for
vmstatestorage? if it's in the config, somebody with the appropriate
permission put it there after all, and if a user can clone that VM all
the config comes with it?
More information about the pve-devel
mailing list