[pve-devel] [PATCH pve-firewall v4 6/9] api: load sdn ipsets
Thomas Lamprecht
t.lamprecht at proxmox.com
Mon Nov 18 12:38:04 CET 2024
Am 18.11.24 um 10:02 schrieb Stefan Hanreich:
> Depends on if you consider a database of all assigned IPs inside the
> cluster as sensitive information, iirc we erred on the side of caution
> in this case and stored it in /etc/pve/priv.
We briefly talked off-list about that, but I think it might be worth to
state this on the list too:
Its sensitive information as in "let's not make that broadly available via
the API to unprivileged users" not secrets that can be used to access third
party systems or break encryption, thus let's be extra vigilant to hedge
against the case where a non-root user/process gets taken over.
As /etc/pve/priv is for the latter, not the former; as else we would need
to also move most configs in there too.
I'll take a short look if it's easily possible to add a sane migration path
at pmxcfs level, handling this transparently, otherwise we'll have to add
some compat handling at higher levels.
Korrigieren
Schließen
Rechtschreibung
Possible spelling mistake found.
EveevepiePVPVCIgnorieren
More information about the pve-devel
mailing list