[pve-devel] [RFC manager 3/3] fix #6094: api: acme: allow to get plugin info with Sys.Audit on /
Fiona Ebner
f.ebner at proxmox.com
Tue May 6 15:52:47 CEST 2025
Am 17.02.25 um 13:19 schrieb Daniel Kral:
> Relax the required permissions to query the list of ACME plugins and
> their configurations. Both API endpoints do only read the ACME plugins
> configuration file but does not modify any system state.
Can't there be secrets in there that should not leak? I.e. the plugin
config file is in /etc/pve/priv, so I'm not sure this should be relaxed.
Even if it doesn't modify the state, it might be too sensitive for
Sys.Audit.
> Keep Sys.Modify for backwards compatibility.
>
> Signed-off-by: Daniel Kral <d.kral at proxmox.com>
> ---
> PVE/API2/ACMEPlugin.pm | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/PVE/API2/ACMEPlugin.pm b/PVE/API2/ACMEPlugin.pm
> index 30616625..ad5625fa 100644
> --- a/PVE/API2/ACMEPlugin.pm
> +++ b/PVE/API2/ACMEPlugin.pm
> @@ -51,7 +51,7 @@ __PACKAGE__->register_method ({
> path => '',
> method => 'GET',
> permissions => {
> - check => ['perm', '/', [ 'Sys.Modify' ]],
> + check => ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ], any => 1],
> },
> description => "ACME plugin index.",
> protected => 1,
> @@ -98,7 +98,7 @@ __PACKAGE__->register_method({
> method => 'GET',
> description => "Get ACME plugin configuration.",
> permissions => {
> - check => ['perm', '/', [ 'Sys.Modify' ]],
> + check => ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ], any => 1],
> },
> protected => 1,
> parameters => {
More information about the pve-devel
mailing list