proxmox-mirrors/pve-access-control
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-access-control synced 2025-10-04 08:21:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

privileges: drop VM.Monitor

Browse Source 
The name VM.Monitor is ambiguous and makes it hard to guess what the
privilege is for. The privilege was used for two things:
1. QEMU guest agent operations, for which dedicated privileges were
   introduced, see commit "add VM.GuestAgent privileges".
2. Access to the QEMU HMP monitor, where only the 'info' and 'help'
   commands were usable without an additional Sys.Modify privilege.
   Access to the monitor will be guarded with Sys.Audit.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
Link: https://lore.proxmox.com/20250717133711.84715-3-f.ebner@proxmox.com
This commit is contained in:
Fiona Ebner 2025-07-17 15:36:50 +02:00 committed by Thomas Lamprecht
parent 922f710574
commit 0706945414
2 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/PVE/AccessControl.pm
View File

@ -1061,7 +1061,6 @@ my $privgroups = {
'VM.Clone', 'VM.Clone',
'VM.GuestAgent.Unrestricted', 'VM.GuestAgent.Unrestricted',
'VM.Migrate', 'VM.Migrate',
'VM.Monitor',
'VM.Snapshot', 'VM.Snapshot',
'VM.Snapshot.Rollback', 'VM.Snapshot.Rollback',
], ],

8
src/test/perm-test1.pl
View File

@ -66,8 +66,8 @@ check_permission(
. 'VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,' . 'VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,'
. 'VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,' . 'VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,'
. 'VM.Console,VM.GuestAgent.Audit,VM.GuestAgent.FileRead,VM.GuestAgent.FileSystemMgmt,' . 'VM.Console,VM.GuestAgent.Audit,VM.GuestAgent.FileRead,VM.GuestAgent.FileSystemMgmt,'
. 'VM.GuestAgent.FileWrite,VM.GuestAgent.Unrestricted,VM.Migrate,VM.Monitor,VM.PowerMgmt,' . 'VM.GuestAgent.FileWrite,VM.GuestAgent.Unrestricted,VM.Migrate,VM.PowerMgmt,VM.Snapshot,'
. 'VM.Snapshot,VM.Snapshot.Rollback', . 'VM.Snapshot.Rollback',
); );
# Administrator -> Permissions.Modify! # Administrator -> Permissions.Modify!
check_permission( check_permission(
@ -86,8 +86,8 @@ check_permission(
. 'VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,' . 'VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,'
. 'VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,' . 'VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,'
. 'VM.Console,VM.GuestAgent.Audit,VM.GuestAgent.FileRead,VM.GuestAgent.FileSystemMgmt,' . 'VM.Console,VM.GuestAgent.Audit,VM.GuestAgent.FileRead,VM.GuestAgent.FileSystemMgmt,'
. 'VM.GuestAgent.FileWrite,VM.GuestAgent.Unrestricted,VM.Migrate,VM.Monitor,VM.PowerMgmt,' . 'VM.GuestAgent.FileWrite,VM.GuestAgent.Unrestricted,VM.Migrate,VM.PowerMgmt,VM.Snapshot,'
. 'VM.Snapshot,VM.Snapshot.Rollback', . 'VM.Snapshot.Rollback',
); );
check_roles('max@pve', '/vms/200', 'storage_manager'); check_roles('max@pve', '/vms/200', 'storage_manager');