[pve-devel] [PATCH container 2/3] create/restore: require Sys.Modify for privileged containers

Fabian Grünbichler f.gruenbichler at proxmox.com
Wed Jul 30 17:00:11 CEST 2025


except for in-place restore where both the current and the backed-up config are
already privileged.

this covers the following cases:
- creating a fresh container: defaults to unprivileged, requires Sys.Modify if set to privileged
- restoring with explicit override of unprivileged value to make the container privileged
- in-place restoring of privileged backup over unprivileged config
- restoring of privileged backup into new container

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
 src/PVE/API2/LXC.pm | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm
index a247b80..951b1c7 100644
--- a/src/PVE/API2/LXC.pm
+++ b/src/PVE/API2/LXC.pm
@@ -139,7 +139,8 @@ __PACKAGE__->register_method({
         description =>
             "You need 'VM.Allocate' permission on /vms/{vmid} or on the VM pool /pool/{pool}. "
             . "For restore, it is enough if the user has 'VM.Backup' permission and the VM already exists. "
-            . "You also need 'Datastore.AllocateSpace' permissions on the storage.",
+            . "You also need 'Datastore.AllocateSpace' permissions on the storage. "
+            . "For privileged containers, 'Sys.Modify' permissions on '/' are required.",
     },
     protected => 1,
     proxyto => 'node',
@@ -254,6 +255,7 @@ __PACKAGE__->register_method({
             # fixme: limit allowed parameters
         } else {
             $unprivileged = 1 if !defined($unprivileged);
+            $rpcenv->check($authuser, '/', ['Sys.Modify']) if !$unprivileged;
         }
 
         my $force = extract_param($param, 'force');
@@ -289,12 +291,11 @@ __PACKAGE__->register_method({
             # since the user is lacking permission to configure the container's FW
             $skip_fw_config_restore = 1;
 
-            # error out if a user tries to change from unprivileged to privileged
+            # error out if a user tries to change from unprivileged to privileged without required privileges
             # explicit change is checked here, implicit is checked down below or happening in root-only paths
             my $conf = PVE::LXC::Config->load_config($vmid);
             if ($conf->{unprivileged} && defined($unprivileged) && !$unprivileged) {
-                raise_perm_exc(
-                    "cannot change from unprivileged to privileged without VM.Allocate");
+                $rpcenv->check($authuser, '/', ['Sys.Modify']);
             }
         } else {
             raise_perm_exc();
@@ -442,9 +443,12 @@ __PACKAGE__->register_method({
                         assert_not_restore_from_external($archive, $storage_cfg)
                             if !$conf->{unprivileged};
 
-                        # implicit privileged change is checked here
-                        if ($old_conf->{unprivileged} && !$conf->{unprivileged}) {
-                            $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Allocate']);
+                        # implicit privileged change, or creating a new privileged container is checked here
+                        if (
+                            (!$same_container_exists || $old_conf->{unprivileged})
+                            && !$conf->{unprivileged}
+                        ) {
+                            $rpcenv->check($authuser, '/', ['Sys.Modify']);
                         }
                     }
                 }
-- 
2.39.5





More information about the pve-devel mailing list