restrict monitor API to Sys.Modify for most commands

because these allow adding arbitrary devices to VMs (and
other potentially dangerous things).

whitelist 'info *' and 'help' as usable with just
VM.Monitor, if more are desired and requested they can be
added later.

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 7de1663f42cf01ce0b2ecf7602a1e30ab08fd294..902f028f3746f30371b8875abbc93ef536840cad 100644 (file)
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -2796,6 +2796,7 @@ __PACKAGE__->register_method({
     proxyto => 'node',
     description => "Execute Qemu monitor commands.",
     permissions => {
+       description => "Sys.Modify is required for (sub)commands which are not read-only ('info *' and 'help')",
        check => ['perm', '/vms/{vmid}', [ 'VM.Monitor' ]],
     },
     parameters => {
@@ -2813,6 +2814,18 @@ __PACKAGE__->register_method({
     code => sub {
        my ($param) = @_;
 
+       my $rpcenv = PVE::RPCEnvironment::get();
+       my $authuser = $rpcenv->get_user();
+
+       my $is_ro = sub {
+           my $command = shift;
+           return $command =~ m/^\s*info(\s+|$)/
+               || $command =~ m/^\s*help\s*$/;
+       };
+
+       $rpcenv->check_full($authuser, "/", ['Sys.Modify'])
+           if !&$is_ro($param->{command});
+
        my $vmid = $param->{vmid};
 
        my $conf = PVE::QemuConfig->load_config ($vmid); # check if VM exists