5
0
mirror of git://git.proxmox.com/git/pve-access-control.git synced 2025-09-20 17:44:22 +03:00

roles: restrict Permissions.Modify to Administrator

to reduce the chances of accidentally handing out privilege modification
privileges. the old default setup of having Permissions.Modify in PVESysAdmin
and PVEAdmin weakened the distinction between those roles and Administrator.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler
2023-06-05 16:21:36 +02:00
committed by Thomas Lamprecht
parent 27014b5908
commit df619a8dc2
5 changed files with 12 additions and 5 deletions

View File

@@ -1060,7 +1060,6 @@ my $privgroups = {
'Sys.Incoming', # incoming storage/guest migrations
],
admin => [
'Permissions.Modify',
'Sys.Console',
'Sys.Syslog',
],
@@ -1118,7 +1117,9 @@ my $privgroups = {
},
};
my $valid_privs = {};
my $valid_privs = {
'Permissions.Modify' => 1, # not contained in a group
};
my $special_roles = {
'NoAccess' => {}, # no privileges

View File

@@ -58,6 +58,10 @@ check_permission('max@pve', '/vms/100', 'VM.Audit,VM.PowerMgmt');
check_permission('alex@pve', '/vms', '');
check_permission('alex@pve', '/vms/100', 'VM.Audit,VM.PowerMgmt');
# PVEVMAdmin -> no Permissions.Modify!
check_permission('alex@pve', '/vms/300', 'VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,VM.Console,VM.Migrate,VM.Monitor,VM.PowerMgmt,VM.Snapshot,VM.Snapshot.Rollback');
# Administrator -> Permissions.Modify!
check_permission('alex@pve', '/vms/400', 'Datastore.Allocate,Datastore.AllocateSpace,Datastore.AllocateTemplate,Datastore.Audit,Group.Allocate,Permissions.Modify,Pool.Allocate,Pool.Audit,Realm.Allocate,Realm.AllocateUser,SDN.Allocate,SDN.Audit,Sys.Audit,Sys.Console,Sys.Incoming,Sys.Modify,Sys.PowerMgmt,Sys.Syslog,User.Modify,VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,VM.Console,VM.Migrate,VM.Monitor,VM.PowerMgmt,VM.Snapshot,VM.Snapshot.Rollback');
check_roles('max@pve', '/vms/200', 'storage_manager');
check_roles('joe@pve', '/vms/200', 'vm_admin');

View File

@@ -50,7 +50,7 @@ check_roles('max@pve', '/vms/100', 'customer');
check_roles('max@pve', '/vms/101', 'vm_admin');
check_permission('max@pve', '/', '');
check_permission('max@pve', '/vms', 'Permissions.Modify,VM.Allocate,VM.Audit,VM.Console');
check_permission('max@pve', '/vms', 'VM.Allocate,VM.Audit,VM.Console');
check_permission('max@pve', '/vms/100', 'VM.Audit,VM.PowerMgmt');
check_permission('alex@pve', '/vms', '');
@@ -66,7 +66,7 @@ check_roles('max@pve!token', '/vms/200', 'storage_manager');
check_roles('max@pve!token2', '/vms/200', 'customer');
# check intersection -> token has Administrator, but user only vm_admin
check_permission('max@pve!token2', '/vms/300', 'Permissions.Modify,VM.Allocate,VM.Audit,VM.Console,VM.PowerMgmt');
check_permission('max@pve!token2', '/vms/300', 'VM.Allocate,VM.Audit,VM.Console,VM.PowerMgmt');
print "all tests passed\n";

View File

@@ -19,4 +19,6 @@ acl:1:/users:max@pve:Administrator:
acl:1:/vms/200:@testgroup3:storage_manager:
acl:1:/vms/200:@testgroup2:NoAccess:
acl:1:/vms/300:alex@pve:PVEVMAdmin:
acl:1:/vms/400:alex@pve:Administrator:

View File

@@ -13,7 +13,7 @@ group:testgroup3:max@pve:
role:storage_manager:Datastore.AllocateSpace,Datastore.Audit:
role:customer:VM.Audit,VM.PowerMgmt:
role:vm_admin:VM.Audit,VM.Allocate,Permissions.Modify,VM.Console:
role:vm_admin:VM.Audit,VM.Allocate,VM.Console:
acl:1:/vms:@testgroup1:vm_admin:
acl:0:/vms/300:max@pve:customer: