[pve-devel] [PATCH container 2/3] create/restore: require Sys.Modify for privileged containers
Fabian Grünbichler
f.gruenbichler at proxmox.com
Wed Jul 30 17:00:11 CEST 2025
except for in-place restore where both the current and the backed-up config are
already privileged.
this covers the following cases:
- creating a fresh container: defaults to unprivileged, requires Sys.Modify if set to privileged
- restoring with explicit override of unprivileged value to make the container privileged
- in-place restoring of privileged backup over unprivileged config
- restoring of privileged backup into new container
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
src/PVE/API2/LXC.pm | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm
index a247b80..951b1c7 100644
--- a/src/PVE/API2/LXC.pm
+++ b/src/PVE/API2/LXC.pm
@@ -139,7 +139,8 @@ __PACKAGE__->register_method({
description =>
"You need 'VM.Allocate' permission on /vms/{vmid} or on the VM pool /pool/{pool}. "
. "For restore, it is enough if the user has 'VM.Backup' permission and the VM already exists. "
- . "You also need 'Datastore.AllocateSpace' permissions on the storage.",
+ . "You also need 'Datastore.AllocateSpace' permissions on the storage. "
+ . "For privileged containers, 'Sys.Modify' permissions on '/' are required.",
},
protected => 1,
proxyto => 'node',
@@ -254,6 +255,7 @@ __PACKAGE__->register_method({
# fixme: limit allowed parameters
} else {
$unprivileged = 1 if !defined($unprivileged);
+ $rpcenv->check($authuser, '/', ['Sys.Modify']) if !$unprivileged;
}
my $force = extract_param($param, 'force');
@@ -289,12 +291,11 @@ __PACKAGE__->register_method({
# since the user is lacking permission to configure the container's FW
$skip_fw_config_restore = 1;
- # error out if a user tries to change from unprivileged to privileged
+ # error out if a user tries to change from unprivileged to privileged without required privileges
# explicit change is checked here, implicit is checked down below or happening in root-only paths
my $conf = PVE::LXC::Config->load_config($vmid);
if ($conf->{unprivileged} && defined($unprivileged) && !$unprivileged) {
- raise_perm_exc(
- "cannot change from unprivileged to privileged without VM.Allocate");
+ $rpcenv->check($authuser, '/', ['Sys.Modify']);
}
} else {
raise_perm_exc();
@@ -442,9 +443,12 @@ __PACKAGE__->register_method({
assert_not_restore_from_external($archive, $storage_cfg)
if !$conf->{unprivileged};
- # implicit privileged change is checked here
- if ($old_conf->{unprivileged} && !$conf->{unprivileged}) {
- $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Allocate']);
+ # implicit privileged change, or creating a new privileged container is checked here
+ if (
+ (!$same_container_exists || $old_conf->{unprivileged})
+ && !$conf->{unprivileged}
+ ) {
+ $rpcenv->check($authuser, '/', ['Sys.Modify']);
}
}
}
--
2.39.5
More information about the pve-devel
mailing list