From 7ee990cd30f90b2d041106c7df1d2d60e26ae54f Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Thu, 3 May 2018 14:10:57 +0200
Subject: [PATCH] implement permission checks for cloud-init related options

Most cloud-init options are network related, so we simply check
for VM.Config.Network priviledge.

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
---
 PVE/API2/Qemu.pm | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index fb8a6e3c..8d4b10d3 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -291,6 +291,15 @@ my $diskoptions = {
     'vmstatestorage' => 1,
 };
 
+my $cloudinitoptions = {
+    cipassword => 1,
+    citype => 1,
+    ciuser => 1,
+    nameserver => 1,
+    searchdomain => 1,
+    sshkeys => 1,
+};
+
 my $check_vm_modify_config_perm = sub {
     my ($rpcenv, $authuser, $vmid, $pool, $key_list) = @_;
 
@@ -318,7 +327,7 @@ my $check_vm_modify_config_perm = sub {
 	    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.PowerMgmt']);
 	} elsif ($diskoptions->{$opt}) {
 	    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Disk']);
-	} elsif ($opt =~ m/^(?:net|ipconfig)\d+$/) {
+	} elsif ($cloudinitoptions->{$opt} || ($opt =~ m/^(?:net|ipconfig)\d+$/)) {
 	    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Network']);
 	} else {
 	    # catches usb\d+, hostpci\d+, args, lock, etc.