On Tue, Aug 03, 2021 at 02:29:52PM +0200, Dominik Csapak wrote:
> instead of it being root only
>
> Signed-off-by: Dominik Csapak <[email protected]>
> ---
> src/PVE/LXC.pm | 43 +++++++++++++++++++++++++++++++++++++++++--
> 1 file changed, 41 insertions(+), 2 deletions(-)
>
> diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
> index 32a2127..abe8ac3 100644
> --- a/src/PVE/LXC.pm
> +++ b/src/PVE/LXC.pm
> @@ -1270,8 +1270,47 @@ sub check_ct_modify_config_perm {
> $opt eq 'searchdomain' || $opt eq 'hostname') {
> $rpcenv->check_vm_perm($authuser, $vmid, $pool,
> ['VM.Config.Network']);
> } elsif ($opt eq 'features') {
> - # For now this is restricted to root@pam
> - raise_perm_exc("changing feature flags is only allowed for
> root\@pam");
> + raise_perm_exc("changing feature flags for privileged container is
> only allowed for root\@pam")
> + if !$unprivileged;
> +
> + my $nesting_changed = 0;
> + my $other_changed = 0;
> + if (!$delete) {
> + my $features =
> PVE::LXC::Config->parse_features($newconf->{$opt});
> + if (defined($oldconf) && $oldconf->{$opt}) {
> + # existing container with features
> + my $old_features =
> PVE::LXC::Config->parse_features($oldconf->{$opt});
> + for my $feature ((keys %$old_features, keys %$features)) {
> + if ($old_features->{$feature} ne $features->{$feature})
> {
> + if ($feature eq 'nesting') {
> + $nesting_changed = 1;
> + next;
> + } else {
> + $other_changed = 1;
> + last;
Breaking out here means you *tend* to prefer the `other_changed` error, but...
> + }
> + }
> + }
> + } else {
> + # new container or no features defined
> + if (scalar(keys %$features) == 1 && $features->{nesting}) {
> + $nesting_changed = 1;
> + } elsif (scalar(keys %$features) > 0) {
> + $other_changed = 1;
> + }
> + }
> + } else {
> + my $features =
> PVE::LXC::Config->parse_features($oldconf->{$opt});
> + if (scalar(keys %$features) == 1 && $features->{nesting}) {
...here you prefer the nesting check, but only if nothing else
changes alongside it...
> + $nesting_changed = 1;
> + } elsif (scalar(keys %$features) > 0) {
> + $other_changed = 1;
> + }
> + }
> + $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Allocate'])
> + if $nesting_changed;
...but hash key randomization may randomly give you $nesting_changed=1
first and cause this message to appear instead of the one below.
So we should probably swap the two checks for consistency?
> + raise_perm_exc("changing feature flags (except nesting) is only
> allowed for root\@pam")
> + if $other_changed;
> } elsif ($opt eq 'hookscript') {
> # For now this is restricted to root@pam
> raise_perm_exc("changing the hookscript is only allowed for
> root\@pam");
> --
> 2.30.2
_______________________________________________
pve-devel mailing list
[email protected]
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
