fix #4321: properly check cloud-init drive permissions

The process for editing Cloud-init drives checked for inconsistent
permissions: for adding, the VM.Config.Disk permission was needed, while
the VM.Config.CDROM permission was needed to remove a drive. The regex
in drive_is_cloudinit needed to be adapted since the drive names have
different formats before/after they are actually generated.

Due to the regex letting names fall through before, Cloud-init drives
were being checked as disks, even though they are actually treated as
CDROM drives. Due to this, it makes more sense to check for
VM.Config.CDROM instead, while also requiring VM.Config.Cloudinit, since
generating a Cloud-init drive already generates default values that are
passed to the VM.

Signed-off-by: Leo Nunner <l.nunner@proxmox.com>

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index edb495bc6219e0413d406ba1afacb2a937cfb8c0..5426512302ae1aa1bdf2da6a475f06574b7e6db0 100644 (file)
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -1627,11 +1627,13 @@ my $update_vm_api  = sub {
            my $check_drive_perms = sub {
                my ($opt, $val) = @_;
                my $drive = PVE::QemuServer::parse_drive($opt, $val, 1);
-               # FIXME: cloudinit: CDROM or Disk?
-               if (PVE::QemuServer::drive_is_cdrom($drive)) { # CDROM
+               if (PVE::QemuServer::drive_is_cloudinit($drive)) {
+                   $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Cloudinit', 'VM.Config.CDROM']);
+               } elsif (PVE::QemuServer::drive_is_cdrom($drive, 1)) { # CDROM
                    $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.CDROM']);
                } else {
                    $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Disk']);
+
                }
            };
 

diff --git a/PVE/QemuServer/Drive.pm b/PVE/QemuServer/Drive.pm
index 1dc6171a53ef4e6e1a78b7ceb59fb97225a6d144..12a1fbe20497b94ab65a124ade78172e274ea5d7 100644 (file)
--- a/PVE/QemuServer/Drive.pm
+++ b/PVE/QemuServer/Drive.pm
@@ -540,7 +540,7 @@ sub verify_bootdisk {
 
 sub drive_is_cloudinit {
     my ($drive) = @_;
-    return $drive->{file} =~ m@[:/]vm-\d+-cloudinit(?:\.$QEMU_FORMAT_RE)?$@;
+    return $drive->{file} =~ m@[:/](?:vm-\d+-)?cloudinit(?:\.$QEMU_FORMAT_RE)?$@;
 }
 
 sub drive_is_cdrom {