[pve-devel] [PATCH qemu-server] fix #5574: api: fix permission check for 'spice' usb port
Dominik Csapak
d.csapak at proxmox.com
Mon Jul 8 13:56:17 CEST 2024
With the last change in the permission check, I accidentally broke the
check for 'spice' host value, since in the if/elsif/else this will fall
through to the else case which was only intended for when neither 'host'
nor 'mapping' was set.
This made 'spice' only settable by root at pam since there we return early.
To fix this, move the spice check into the 'host' branch, but only error
out in case it's not spice.
Fixes: e3971865 (enable cluster mapped USB devices for guests)
Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
PVE/API2/Qemu.pm | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index efe69b5c..a3313f3a 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -661,8 +661,12 @@ my sub check_usb_perm {
$rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.HWType']);
my $device = PVE::JSONSchema::parse_property_string('pve-qm-usb', $value);
- if ($device->{host} && $device->{host} !~ m/^spice$/i) {
- die "only root can set '$opt' config for real devices\n";
+ if ($device->{host}) {
+ if ($device->{host} =~ m/^spice$/i) {
+ # already checked generic permission above
+ } else {
+ die "only root can set '$opt' config for real devices\n";
+ }
} elsif ($device->{mapping}) {
$rpcenv->check_full($authuser, "/mapping/usb/$device->{mapping}", ['Mapping.Use']);
} else {
--
2.39.2
More information about the pve-devel
mailing list