[pve-devel] [PATCH qemu-server v7 1/1] api: update: check 'admin' tags privileges
Aaron Lauterer
a.lauterer at proxmox.com
Wed Sep 14 16:15:21 CEST 2022
Something that crossed my mind:
Have you thought about not allowing tags if they match an admin tag, except for
the '+'?
Depending on what they will be used for in the future, there could be some
potential to trick an admin by creating a similar regular tag. Any code relying
on admin tags should not have an issue with that, but even though the color in
the GUI should be different, one could try to trick an admin to do something
they should not, depending on the tags.
Visual spoofing with similar looking UTF8 characters should not be much of an
issue, due to the regex used.
On 6/21/22 11:19, Dominik Csapak wrote:
> normal tags require 'VM.Config.Options' on the VM, admin tags require
> 'Sys.Modify' on '/'
>
> a user can set/delete/reorder tags, as long as no admin tags get
> added/removed
>
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
[...]
More information about the pve-devel
mailing list