From a8f2f4271428cbf4c9c4f2626e90266ccfcb84be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Wed, 23 Nov 2016 09:17:07 +0100
Subject: [PATCH] restrict monitor API to Sys.Modify for most commands

because these allow adding arbitrary devices to VMs (and
other potentially dangerous things).

whitelist 'info *' and 'help' as usable with just
VM.Monitor, if more are desired and requested they can be
added later.
---
 PVE/API2/Qemu.pm | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 7de1663f..902f028f 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -2796,6 +2796,7 @@ __PACKAGE__->register_method({
     proxyto => 'node',
     description => "Execute Qemu monitor commands.",
     permissions => {
+	description => "Sys.Modify is required for (sub)commands which are not read-only ('info *' and 'help')",
 	check => ['perm', '/vms/{vmid}', [ 'VM.Monitor' ]],
     },
     parameters => {
@@ -2813,6 +2814,18 @@ __PACKAGE__->register_method({
     code => sub {
 	my ($param) = @_;
 
+	my $rpcenv = PVE::RPCEnvironment::get();
+	my $authuser = $rpcenv->get_user();
+
+	my $is_ro = sub {
+	    my $command = shift;
+	    return $command =~ m/^\s*info(\s+|$)/
+	        || $command =~ m/^\s*help\s*$/;
+	};
+
+	$rpcenv->check_full($authuser, "/", ['Sys.Modify'])
+	    if !&$is_ro($param->{command});
+
 	my $vmid = $param->{vmid};
 
 	my $conf = PVE::QemuConfig->load_config ($vmid); # check if VM exists