roles: restrict Permissions.Modify to Administrator

to reduce the chances of accidentally handing out privilege modification
privileges. the old default setup of having Permissions.Modify in PVESysAdmin
and PVEAdmin weakened the distinction between those roles and Administrator.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

src/PVE/AccessControl.pm

@@ -1060,7 +1060,6 @@ my $privgroups = {
 	    'Sys.Incoming', # incoming storage/guest migrations
 	],
 	admin => [
-	    'Permissions.Modify',
 	    'Sys.Console',
 	    'Sys.Syslog',
 	],
@@ -1118,7 +1117,9 @@ my $privgroups = {
     },
 };
 
-my $valid_privs = {};
+my $valid_privs = {
+    'Permissions.Modify' => 1, # not contained in a group
+};
 
 my $special_roles = {
     'NoAccess' => {}, # no privileges

src/test/perm-test1.pl

@@ -58,6 +58,10 @@ check_permission('max@pve', '/vms/100', 'VM.Audit,VM.PowerMgmt');
 check_permission('alex@pve', '/vms', '');
 check_permission('alex@pve', '/vms/100', 'VM.Audit,VM.PowerMgmt');
 
+# PVEVMAdmin -> no Permissions.Modify!
+check_permission('alex@pve', '/vms/300', 'VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,VM.Console,VM.Migrate,VM.Monitor,VM.PowerMgmt,VM.Snapshot,VM.Snapshot.Rollback');
+# Administrator -> Permissions.Modify!
+check_permission('alex@pve', '/vms/400', 'Datastore.Allocate,Datastore.AllocateSpace,Datastore.AllocateTemplate,Datastore.Audit,Group.Allocate,Permissions.Modify,Pool.Allocate,Pool.Audit,Realm.Allocate,Realm.AllocateUser,SDN.Allocate,SDN.Audit,Sys.Audit,Sys.Console,Sys.Incoming,Sys.Modify,Sys.PowerMgmt,Sys.Syslog,User.Modify,VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,VM.Console,VM.Migrate,VM.Monitor,VM.PowerMgmt,VM.Snapshot,VM.Snapshot.Rollback');
 
 check_roles('max@pve', '/vms/200', 'storage_manager');
 check_roles('joe@pve', '/vms/200', 'vm_admin');

src/test/perm-test8.pl

@@ -50,7 +50,7 @@ check_roles('max@pve', '/vms/100', 'customer');
 check_roles('max@pve', '/vms/101', 'vm_admin');
 
 check_permission('max@pve', '/', '');
-check_permission('max@pve', '/vms', 'Permissions.Modify,VM.Allocate,VM.Audit,VM.Console');
+check_permission('max@pve', '/vms', 'VM.Allocate,VM.Audit,VM.Console');
 check_permission('max@pve', '/vms/100', 'VM.Audit,VM.PowerMgmt');
 
 check_permission('alex@pve', '/vms', '');
@@ -66,7 +66,7 @@ check_roles('max@pve!token', '/vms/200', 'storage_manager');
 check_roles('max@pve!token2', '/vms/200', 'customer');
 
 # check intersection -> token has Administrator, but user only vm_admin
-check_permission('max@pve!token2', '/vms/300', 'Permissions.Modify,VM.Allocate,VM.Audit,VM.Console,VM.PowerMgmt');
+check_permission('max@pve!token2', '/vms/300', 'VM.Allocate,VM.Audit,VM.Console,VM.PowerMgmt');
 
 print "all tests passed\n";
 

src/test/test1.cfg

@@ -19,4 +19,6 @@ acl:1:/users:max@pve:Administrator:
 
 acl:1:/vms/200:@testgroup3:storage_manager:
 acl:1:/vms/200:@testgroup2:NoAccess:
+acl:1:/vms/300:alex@pve:PVEVMAdmin:
+acl:1:/vms/400:alex@pve:Administrator:
 

src/test/test8.cfg

@@ -13,7 +13,7 @@ group:testgroup3:max@pve:
 
 role:storage_manager:Datastore.AllocateSpace,Datastore.Audit:
 role:customer:VM.Audit,VM.PowerMgmt:
-role:vm_admin:VM.Audit,VM.Allocate,Permissions.Modify,VM.Console:
+role:vm_admin:VM.Audit,VM.Allocate,VM.Console:
 
 acl:1:/vms:@testgroup1:vm_admin:
 acl:0:/vms/300:max@pve:customer: