[pve-devel] [PATCH qemu-server 2/6] partially fix #6805: api: modify vm config: privilege checks for VM-state-related properties

Fiona Ebner f.ebner at proxmox.com
Wed Sep 17 18:30:26 CEST 2025 

Currently, the VM-state-related properties 'runningcpu',
'runningmachine' and 'running-nets-host-mtu' are not supposed to end
up in the VM configuration of a remote-migratable VM, because a
suspended VM is not yet migratable. However, there was a bug and the
properties were not removed after cloning from a snapshot, see commit
"partially fix #6805: api: clone: properly remove all snapshot-related
info". Upon remote migration, the property would be encountered and
would be limited to root at pam only. Also, migrating suspended VMs might
be implemented in the future, i.e. BZ issue #2252.

To aid fixing bug #6805 and preparing for issue #2252 in the future,
do proper privilege checking for configuration properties related to
the running VM state.

Note that the 'vmstate' property is already checked for in the
check_vm_modify_config_perm() helper. Note that VM-state-related
properties cannot be set via API by a user.

Originally-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
Signed-off-by: Fiona Ebner <f.ebner at proxmox.com>
---
 src/PVE/API2/Qemu.pm | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/PVE/API2/Qemu.pm b/src/PVE/API2/Qemu.pm
index 8097ea87..594c5d48 100644
--- a/src/PVE/API2/Qemu.pm
+++ b/src/PVE/API2/Qemu.pm
@@ -732,6 +732,7 @@ my $check_cpu_model_access = sub {
 my $cpuoptions = {
     'cores' => 1,
     'cpu' => 1,
+    'runningcpu' => 1,
     'cpulimit' => 1,
     'cpuunits' => 1,
     'numa' => 1,
@@ -751,6 +752,7 @@ my $hwtypeoptions = {
     'hotplug' => 1,
     'kvm' => 1,
     'machine' => 1,
+    'runningmachine' => 1,
     'scsihw' => 1,
     'smbios1' => 1,
     'tablet' => 1,
@@ -957,7 +959,7 @@ my $check_vm_modify_config_perm = sub {
             $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.PowerMgmt']);
         } elsif ($diskoptions->{$opt}) {
             $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Disk']);
-        } elsif ($opt =~ m/^net\d+$/) {
+        } elsif ($opt =~ m/^net\d+$/ || $opt eq 'running-nets-host-mtu') {
             $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Network']);
         } elsif ($cloudinitoptions->{$opt} || $opt =~ m/^ipconfig\d+$/) {
             $rpcenv->check_vm_perm(
-- 
2.47.2

More information about the pve-devel mailing list