yesBad/pve-storage
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

check volume access: always allow with Datastore.Allocate privilege

Browse Source 
Such users are supposed to be administrators of the storage, but
previously, access to backups was not allowed when not also having
VM.Backup.

Suggested-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
This commit is contained in:
Fabian Ebner
2022-03-30 12:24:29 +02:00
committed by Fabian Grünbichler
parent f303dec6e4
commit 3e1a618e34
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
PVE/Storage.pm
View File

@ -477,6 +477,8 @@ sub check_volume_access {
my ($sid, $volname) = parse_volume_id($volid, 1);
if ($sid) {
return if $rpcenv->check($user, "/storage/$sid", ['Datastore.Allocate'], 1);
my ($vtype, undef, $ownervm) = parse_volname($cfg, $volid);
if ($vtype eq 'iso' || $vtype eq 'vztmpl') {
# require at least read access to storage, (custom) templates/ISOs could be sensitive
@ -487,8 +489,7 @@ sub check_volume_access {
$rpcenv->check($user, "/storage/$sid", ['Datastore.AllocateSpace']);
$rpcenv->check($user, "/vms/$ownervm", ['VM.Backup']);
} else {
# allow if we are Datastore administrator
$rpcenv->check($user, "/storage/$sid", ['Datastore.Allocate']);
die "missing privileges to access $volid\n";
}
} else {
die "Only root can pass arbitrary filesystem paths."