On Wed, Sep 19, 2018 at 02:09:39PM +0200, Thomas Lamprecht wrote: > On 7/31/18 2:50 PM, Wolfgang Bumiller wrote: > > To disable a feature it is enough to be generally allowed > > to edit the configuration. Enabling a feature requires more > > privileges. For now: root@pam. > > > > While it is correct from a technical POV, it seems a bit strange from an > user experience POV, not sure about this. > E.g., I'm one of those people that often just try to toggle options for the > sake of it and see what happens - at least if it's nothing too important, > and here I'd be quite bummed out if I had it, disabled keyctl and then my > unprivileged CT gets problems - no nice UX, IMO...
Not allowing to remove them works for me, too. IOW. any change there requires root@pam, although actually the 'keyctl' feature should only require the regular VM.Config permission as it's not a security critical change but rather disables a systemd-networkd-specific workaround. _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel