git.proxmox.com Git - pve-access-control.git/commit

author	Fabian Grünbichler <f.gruenbichler@proxmox.com>
	Mon, 5 Jun 2023 14:21:37 +0000 (16:21 +0200)
committer	Thomas Lamprecht <t.lamprecht@proxmox.com>
	Wed, 7 Jun 2023 09:13:16 +0000 (11:13 +0200)
commit	46bfd59dfca655b263d1f905be37d985416717ac
tree	6294b010f120993a17a52d648896bf020650ead0	tree
parent	df619a8dc2fe518b10f951c86e51e3d4c204936b	commit \| diff

acls: restrict less-privileged ACL modifications

there are currently three possibilities to modify ACLs without the
'Permissions.Modify' privilege in PVE::RPCEnvironment::check_perm_modify:

    if ($path =~ m|^/storage/.+$|) {
push @$testperms, 'Datastore.Allocate';
    } elsif ($path =~ m|^/vms/.+$|) {
push @$testperms, 'VM.Allocate';
    } elsif ($path =~ m|^/pool/.+$|) {
push @$testperms, 'Pool.Allocate';
    }

lock those down by only allowing the currently authenticated user to hand out a
subset of their own privileges, never more.

for example, this still allows a PVEVMAdmin to create ACLs for other
users/tokens with PVEVMUser (on '/vm/XXX'), but not with Administrator or
PVEPermAdmin.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>