proxmox-mirrors/pve-manager
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-manager synced 2025-08-13 21:24:01 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

api: notifications: require powerful privileges for target management

Browse Source 
These allow one to indirectly access resources from the POV of the
Proxmox VE cluster nodes. While gotify is relatively harmless, smtp
could already cause more problems to admins that are not aware of the
implications of allowing users to add targets while having some open
smtp relay that is only accessible from networks the PVE nodes can
access but not the user that can talk with PVE's API. The webhook one
is then pretty much free-form and might cause some adverse effects in
environments that are only loosely guarded, and while that might point
at general security problems, it's likely that admins will still place
the blame at our projects.

So while the former should not be problematic, the new not yet fully
released webhooks could have some impact. That said, it currently
requires Mapping.Modify, which is a intermediate powerful level priv,
so it's not like any user could use this. Still, hedging for the
safer side here seems the better choice for now, we still can open
this up if there's user feedback and we deem it safe enough doing so.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht 2024-11-19 19:13:15 +01:00
parent 76fbfbeea7
commit a3fe9c5410
1 changed files with 70 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
PVE/API2/Cluster/Notifications.pm
View File

@ -500,7 +500,15 @@ __PACKAGE__->register_method ({
method => 'POST',
description => 'Create a new sendmail endpoint',
permissions => {
check => ['perm', '/mapping/notifications', ['Mapping.Modify']],
check => [
['and',
['perm', '/mapping/notifications', ['Mapping.Modify']],
['or',
['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
['perm', '/', [ 'Sys.AccessNetwork' ]],
],
],
],
},
parameters => {
additionalProperties => 0,
@ -548,7 +556,15 @@ __PACKAGE__->register_method ({
method => 'PUT',
description => 'Update existing sendmail endpoint',
permissions => {
check => ['perm', '/mapping/notifications', ['Mapping.Modify']],
check => [
['and',
['perm', '/mapping/notifications', ['Mapping.Modify']],
['or',
['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
['perm', '/', [ 'Sys.AccessNetwork' ]],
],
],
],
},
parameters => {
additionalProperties => 0,
@ -764,7 +780,15 @@ __PACKAGE__->register_method ({
method => 'POST',
description => 'Create a new gotify endpoint',
permissions => {
check => ['perm', '/mapping/notifications', ['Mapping.Modify']],
check => [
['and',
['perm', '/mapping/notifications', ['Mapping.Modify']],
['or',
['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
['perm', '/', [ 'Sys.AccessNetwork' ]],
],
],
],
},
parameters => {
additionalProperties => 0,
@ -808,7 +832,15 @@ __PACKAGE__->register_method ({
method => 'PUT',
description => 'Update existing gotify endpoint',
permissions => {
check => ['perm', '/mapping/notifications', ['Mapping.Modify']],
check => [
['and',
['perm', '/mapping/notifications', ['Mapping.Modify']],
['or',
['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
['perm', '/', [ 'Sys.AccessNetwork' ]],
],
],
],
},
parameters => {
additionalProperties => 0,
@ -1067,8 +1099,14 @@ __PACKAGE__->register_method ({
method => 'POST',
description => 'Create a new smtp endpoint',
permissions => {
check => ['or',
['perm', '/mapping/notifications', ['Mapping.Modify']],
check => [
['and',
['perm', '/mapping/notifications', ['Mapping.Modify']],
['or',
['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
['perm', '/', [ 'Sys.AccessNetwork' ]],
],
],
],
},
parameters => {
@ -1127,8 +1165,14 @@ __PACKAGE__->register_method ({
method => 'PUT',
description => 'Update existing smtp endpoint',
permissions => {
check => ['or',
['perm', '/mapping/notifications', ['Mapping.Modify']],
check => [
['and',
['perm', '/mapping/notifications', ['Mapping.Modify']],
['or',
['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
['perm', '/', [ 'Sys.AccessNetwork' ]],
],
],
],
},
parameters => {
@ -1379,7 +1423,15 @@ __PACKAGE__->register_method ({
method => 'POST',
description => 'Create a new webhook endpoint',
permissions => {
check => ['perm', '/mapping/notifications', ['Mapping.Modify']],
check => [
['and',
['perm', '/mapping/notifications', ['Mapping.Modify']],
['or',
['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
['perm', '/', [ 'Sys.AccessNetwork' ]],
],
],
],
},
parameters => {
additionalProperties => 0,
@ -1412,7 +1464,15 @@ __PACKAGE__->register_method ({
method => 'PUT',
description => 'Update existing webhook endpoint',
permissions => {
check => ['perm', '/mapping/notifications', ['Mapping.Modify']],
check => [
['and',
['perm', '/mapping/notifications', ['Mapping.Modify']],
['or',
['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
['perm', '/', [ 'Sys.AccessNetwork' ]],
],
],
],
},
parameters => {
additionalProperties => 0,