($path, $ownervm, $vtype) = PVE::Storage::path($storecfg, $volid);
if ($vtype eq 'iso' || $vtype eq 'vztmpl') {
# we simply allow access
- } elsif (!$ownervm || ($ownervm != $vmid)) {
+ } elsif (defined($ownervm) && defined($vmid) && ($ownervm == $vmid)) {
+ # we are owner - allow access
+ } elsif ($vtype eq 'backup' && $ownervm) {
+ $self->check($user, "/storage/$sid", ['Datastore.AllocateSpace']);
+ $self->check($user, "/vms/$ownervm", ['VM.Backup']);
+ } else {
# allow if we are Datastore administrator
$self->check($user, "/storage/$sid", ['Datastore.Allocate']);
}
if $user ne 'root@pam';
$path = abs_path($volid);
+ if ($path =~ m|^(/.+)$|) {
+ $path = $1; # untaint any path
+ }
}
return $path;
}
die "missing parameters" if !$subtest;
if ($subtest eq 'self') {
return 0 if !$self->check_user_exist($userid, $noerr);
- return 1 if $username eq 'userid';
+ return 1 if $username eq $userid;
return 0 if $noerr;
raise_perm_exc();
} elsif ($subtest eq 'Realm.AllocateUser') {
# STDOUT,STDERR are redirected to the filename returned by upid_decode
# NOTE: we simulate running in foreground if ($self->{type} eq 'cli')
sub fork_worker {
- my ($self, $dtype, $id, $user, $function) = @_;
+ my ($self, $dtype, $id, $user, $function, $background) = @_;
$dtype = 'unknown' if !defined ($dtype);
$id = '' if !defined ($id);
$user = 'root@pve' if !defined ($user);
- my $sync = $self->{type} eq 'cli' ? 1 : 0;
+ my $sync = ($self->{type} eq 'cli' && !$background) ? 1 : 0;
local $SIG{INT} =
local $SIG{QUIT} =
projects / pve-access-control.git / blobdiff