fix #4321: properly check cloud-init drive permissions

The process for editing Cloud-init drives checked for inconsistent permissions: for adding, the VM.Config.Disk permission was needed, while the VM.Config.CDROM permission was needed to remove a drive. The regex in drive_is_cloudinit needed to be adapted since the drive names have different formats before/after they are actually generated. Due to the regex letting names fall through before, Cloud-init drives were being checked as disks, even though they are actually treated as CDROM drives. Due to this, it makes more sense to check for VM.Config.CDROM instead, while also requiring VM.Config.Cloudinit, since generating a Cloud-init drive already generates default values that are passed to the VM. Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
2025-04-30 07:39:02 +00:00 · 2022-11-16 18:34:29 +01:00 · 2022-11-16 18:34:29 +01:00 · f5a88e9870
commit f5a88e9870
parent 0a1c4503e5
2 changed files with 5 additions and 3 deletions
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@ -1627,11 +1627,13 @@ my $update_vm_api  = sub {
 	    my $check_drive_perms = sub {
 		my ($opt, $val) = @_;
 		my $drive = PVE::QemuServer::parse_drive($opt, $val, 1);
-		# FIXME: cloudinit: CDROM or Disk?
-		if (PVE::QemuServer::drive_is_cdrom($drive)) { # CDROM
+		if (PVE::QemuServer::drive_is_cloudinit($drive)) {
+		    $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Cloudinit', 'VM.Config.CDROM']);
+		} elsif (PVE::QemuServer::drive_is_cdrom($drive, 1)) { # CDROM
 		    $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.CDROM']);
 		} else {
 		    $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Disk']);
+
 		}
 	    };

--- a/PVE/QemuServer/Drive.pm
+++ b/PVE/QemuServer/Drive.pm
@ -540,7 +540,7 @@ sub verify_bootdisk {

 sub drive_is_cloudinit {
    my ($drive) = @_;
-    return $drive->{file} =~ m@[:/]vm-\d+-cloudinit(?:\.$QEMU_FORMAT_RE)?$@;
+    return $drive->{file} =~ m@[:/](?:vm-\d+-)?cloudinit(?:\.$QEMU_FORMAT_RE)?$@;
 }

 sub drive_is_cdrom {