document bind/device mp permissions better

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

diff --git a/src/PVE/API2/LXC/Config.pm b/src/PVE/API2/LXC/Config.pm
index fd6178bdabd1a5f067506cde6c10da51c8ce8e53..e3909a3bb885962eb2f3a5da4456619b5a8130ed 100644 (file)
--- a/src/PVE/API2/LXC/Config.pm
+++ b/src/PVE/API2/LXC/Config.pm
@@ -72,6 +72,7 @@ __PACKAGE__->register_method({
     description => "Set container options.",
     permissions => {
        check => ['perm', '/vms/{vmid}', $vm_config_perm_list, any => 1],
+       description => 'non-volume mount points in rootfs and mp[n] are restricted to root@pam',
     },
     parameters => {
        additionalProperties => 0,

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 810fae57af5c153c1e833c96d40fba39ff8d5de7..8fa03f1257b807498c0d53e76662f6261b996be2 100644 (file)
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -897,7 +897,8 @@ sub check_ct_modify_config_perm {
            return if $delete;
            my $data = $opt eq 'rootfs' ? PVE::LXC::Config->parse_ct_rootfs($newconf->{$opt})
                                        : PVE::LXC::Config->parse_ct_mountpoint($newconf->{$opt});
-           raise_perm_exc("mount point type $data->{type}") if $data->{type} ne 'volume';
+           raise_perm_exc("mount point type $data->{type} is only allowed for root\@pam")
+               if $data->{type} ne 'volume';
        } elsif ($opt eq 'memory' || $opt eq 'swap') {
            $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Memory']);
        } elsif ($opt =~ m/^net\d+$/ || $opt eq 'nameserver' ||