[pve-devel] [PATCH access-control] add Sys.AccessNetwork privilege

Thomas Lamprecht t.lamprecht at proxmox.com
Mon Feb 19 18:14:09 CET 2024 

We have some API endpoints that can access the network from the POV of
a Proxmox VE node, like e.g., the one for downloading a template/ISO
image directly to a PVE storage from an HTTP URL, and the matching
query-url-metadata that makes this functionality much more convenient
to use in the UI. But the downside of such calls is naturally that
they basically allow to scan the whole network via HTTP URLs, and
potentially even download some image that the user should not have
access to and adding to a VM that the user controls.

Due to that we limited the exposure of those API endpoints to
Sys.Modify on / (in addition to e.g. basic storage privs) for the
initial addition of the feature, as we were not sure about user
adoption and if a separate privilege could be justified.

Since we got a handful requests like #5254 this justification is now
met, so add a 'Sys.AccessNetwork' privilege.
That name should make it clear that having that privilege will allow
access to the network and the sys(tem) prefix should underline that
it's about the host systems network. Add it such, that it will only be
available for the most powerful of our built-in special roles, namely
the Administration one, besides naturally the all-powerful root at pam
special user.

Admins can then e.g. create new roles that include Sys.AccessNetwork
and Datastore.AllocateTemplate which can then be used for allowing
automation to download images while adhering to the Least Privilege
Principle.

Buglink: https://bugzilla.proxmox.com/show_bug.cgi?id=5254
Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
---
 src/PVE/AccessControl.pm | 1 +
 src/test/perm-test1.pl   | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index 25fc0d9..faea70d 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -1065,6 +1065,7 @@ my $privgroups = {
 	    'Sys.PowerMgmt',
 	    'Sys.Modify', # edit/change node settings
 	    'Sys.Incoming', # incoming storage/guest migrations
+	    'Sys.AccessNetwork', # for, e.g., downloading ISOs from any URL
 	],
 	admin => [
 	    'Sys.Console',
diff --git a/src/test/perm-test1.pl b/src/test/perm-test1.pl
index 27aadeb..df9fe90 100755
--- a/src/test/perm-test1.pl
+++ b/src/test/perm-test1.pl
@@ -79,7 +79,7 @@ check_permission(
     . 'Pool.Allocate,Pool.Audit,'
     . 'Realm.Allocate,Realm.AllocateUser,'
     . 'SDN.Allocate,SDN.Audit,SDN.Use,'
-    . 'Sys.Audit,Sys.Console,Sys.Incoming,Sys.Modify,Sys.PowerMgmt,Sys.Syslog,'
+    . 'Sys.AccessNetwork,Sys.Audit,Sys.Console,Sys.Incoming,Sys.Modify,Sys.PowerMgmt,Sys.Syslog,'
     . 'User.Modify,'
     . 'VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,'
     . 'VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,'
-- 
2.39.2

More information about the pve-devel mailing list