[pve-devel] applied: [PATCH access-control] api: ACL update: fix handling of Permissions.Modify
Thomas Lamprecht
t.lamprecht at proxmox.com
Tue Jul 16 18:14:33 CEST 2024
Am 11/07/2024 um 13:44 schrieb Fabian Grünbichler:
> with 8.x, the scope of non-"Permissions.Modify"-based ACL update privileges
> were reduced (so that users with for example, VM.Allocate on a VM could only
> delegate their own privileges, but not arbitrary other ones). that additional
> logic had a wrong guard and was accidentally triggered for calls where the user
> had the "Permissions.Modify" privilege on the modified ACL path, but without
> propagation set.
>
> a user with "Permissions.Modify" on a path should be able to set arbitrary
> ACLs for that path, even without propagation.
>
> reported on the forum:
>
> https://forum.proxmox.com/threads/privilege-permissions-modify-on-pool-will-not-propagade-to-contained-vms-anymore.151032/
Could be:
Reported on the forum: https://forum.proxmox.com/threads/151032/
>
> Fixes: 46bfd59dfca655b263d1f905be37d985416717ac ("acls: restrict less-privileged ACL modifications")
>
please no extra newlines between trailers like Fixes or your S-o-b.
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
> src/PVE/API2/ACL.pm | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
>
applied, with above commit message nits addressed and reflowed to <= 70 cc,
thanks!
More information about the pve-devel
mailing list