proxmox-mirrors/qemu-server
1
0
Fork 0
mirror of https://git.proxmox.com/git/qemu-server synced 2025-06-24 22:41:06 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

implement permission checks for cloud-init related options

Browse Source 
Most cloud-init options are network related, so we simply check
for VM.Config.Network priviledge.

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
This commit is contained in:
Dietmar Maurer 2018-05-03 14:10:57 +02:00 committed by Wolfgang Bumiller
parent 503308ed91
commit 7ee990cd30
1 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
PVE/API2/Qemu.pm
View File

@ -291,6 +291,15 @@ my $diskoptions = {
'vmstatestorage' => 1, 'vmstatestorage' => 1,
}; };
my $cloudinitoptions = {
cipassword => 1,
citype => 1,
ciuser => 1,
nameserver => 1,
searchdomain => 1,
sshkeys => 1,
};
my $check_vm_modify_config_perm = sub { my $check_vm_modify_config_perm = sub {
my ($rpcenv, $authuser, $vmid, $pool, $key_list) = @_; my ($rpcenv, $authuser, $vmid, $pool, $key_list) = @_;
@ -318,7 +327,7 @@ my $check_vm_modify_config_perm = sub {
$rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.PowerMgmt']); $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.PowerMgmt']);
} elsif ($diskoptions->{$opt}) { } elsif ($diskoptions->{$opt}) {
$rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Disk']); $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Disk']);
} elsif ($opt =~ m/^(?:net|ipconfig)\d+$/) { } elsif ($cloudinitoptions->{$opt} || ($opt =~ m/^(?:net|ipconfig)\d+$/)) {
$rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Network']); $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Network']);
} else { } else {
# catches usb\d+, hostpci\d+, args, lock, etc. # catches usb\d+, hostpci\d+, args, lock, etc.