[pve-devel] [PATCH v2 qemu-server 03/12] api: allow 'skiplock' option to be used by SU privileged users

Fri, 11 Mar 2022 03:26:09 -0800 

Signed-off-by: Oguz Bektas <o.bek...@proxmox.com>
---
 PVE/API2/Qemu.pm | 59 ++++++++++++++++++++++++++++++++----------------
 1 file changed, 40 insertions(+), 19 deletions(-)

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 21fc82b..95cc46d 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -1126,8 +1126,8 @@ my $update_vm_api  = sub {
     my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser, 
"/vms/$vmid", ['SuperUser'], 1);
 
     my $skiplock = extract_param($param, 'skiplock');
-    raise_param_exc({ skiplock => "Only root may use this option." })
-       if $skiplock && $authuser ne 'root@pam';
+    raise_param_exc({ skiplock => "Only superusers may use this option." })
+       if $skiplock && !$is_superuser;
 
     my $delete_str = extract_param($param, 'delete');
 
@@ -1645,9 +1645,11 @@ __PACKAGE__->register_method({
        my $authuser = $rpcenv->get_user();
        my $vmid = $param->{vmid};
 
+       my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser, 
"/vms/$vmid", ['SuperUser'], 1);
+
        my $skiplock = $param->{skiplock};
-       raise_param_exc({ skiplock => "Only root may use this option." })
-           if $skiplock && $authuser ne 'root@pam';
+       raise_param_exc({ skiplock => "Only superusers may use this option." })
+           if $skiplock && !$is_superuser;
 
        my $early_checks = sub {
            # test if VM exists
@@ -2290,6 +2292,12 @@ __PACKAGE__->register_method({
        my $timeout = extract_param($param, 'timeout');
        my $machine = extract_param($param, 'machine');
 
+       my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser, 
"/vms/$vmid", ['SuperUser'], 1);
+
+       my $skiplock = extract_param($param, 'skiplock');
+       raise_param_exc({ skiplock => "Only superusers may use this option." })
+           if $skiplock && !$is_superuser;
+
        my $get_root_param = sub {
            my $value = extract_param($param, $_[0]);
            raise_param_exc({ "$_[0]" => "Only root may use this option." })
@@ -2298,7 +2306,6 @@ __PACKAGE__->register_method({
        };
 
        my $stateuri = $get_root_param->('stateuri');
-       my $skiplock = $get_root_param->('skiplock');
        my $migratedfrom = $get_root_param->('migratedfrom');
        my $migration_type = $get_root_param->('migration_type');
        my $migration_network = $get_root_param->('migration_network');
@@ -2436,9 +2443,11 @@ __PACKAGE__->register_method({
        my $node = extract_param($param, 'node');
        my $vmid = extract_param($param, 'vmid');
 
+       my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser, 
"/vms/$vmid", ['SuperUser'], 1);
+
        my $skiplock = extract_param($param, 'skiplock');
-       raise_param_exc({ skiplock => "Only root may use this option." })
-           if $skiplock && $authuser ne 'root@pam';
+       raise_param_exc({ skiplock => "Only superusers may use this option." })
+           if $skiplock && !$is_superuser;
 
        my $keepActive = extract_param($param, 'keepActive');
        raise_param_exc({ keepActive => "Only root may use this option." })
@@ -2513,9 +2522,11 @@ __PACKAGE__->register_method({
 
        my $vmid = extract_param($param, 'vmid');
 
+       my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser, 
"/vms/$vmid", ['SuperUser'], 1);
+
        my $skiplock = extract_param($param, 'skiplock');
-       raise_param_exc({ skiplock => "Only root may use this option." })
-           if $skiplock && $authuser ne 'root@pam';
+       raise_param_exc({ skiplock => "Only superusers may use this option." })
+           if $skiplock && !$is_superuser;
 
        die "VM $vmid not running\n" if !PVE::QemuServer::check_running($vmid);
 
@@ -2580,9 +2591,11 @@ __PACKAGE__->register_method({
        my $node = extract_param($param, 'node');
        my $vmid = extract_param($param, 'vmid');
 
+       my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser, 
"/vms/$vmid", ['SuperUser'], 1);
+
        my $skiplock = extract_param($param, 'skiplock');
-       raise_param_exc({ skiplock => "Only root may use this option." })
-           if $skiplock && $authuser ne 'root@pam';
+       raise_param_exc({ skiplock => "Only superusers may use this option." })
+           if $skiplock && !$is_superuser;
 
        my $keepActive = extract_param($param, 'keepActive');
        raise_param_exc({ keepActive => "Only root may use this option." })
@@ -2739,9 +2752,11 @@ __PACKAGE__->register_method({
 
        my $statestorage = extract_param($param, 'statestorage');
 
+       my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser, 
"/vms/$vmid", ['SuperUser'], 1);
+
        my $skiplock = extract_param($param, 'skiplock');
-       raise_param_exc({ skiplock => "Only root may use this option." })
-           if $skiplock && $authuser ne 'root@pam';
+       raise_param_exc({ skiplock => "Only superusers may use this option." })
+           if $skiplock && !$is_superuser;
 
        die "VM $vmid not running\n" if !PVE::QemuServer::check_running($vmid);
 
@@ -2811,9 +2826,11 @@ __PACKAGE__->register_method({
 
        my $vmid = extract_param($param, 'vmid');
 
+       my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser, 
"/vms/$vmid", ['SuperUser'], 1);
+
        my $skiplock = extract_param($param, 'skiplock');
-       raise_param_exc({ skiplock => "Only root may use this option." })
-           if $skiplock && $authuser ne 'root@pam';
+       raise_param_exc({ skiplock => "Only superusers may use this option." })
+           if $skiplock && !$is_superuser;
 
        my $nocheck = extract_param($param, 'nocheck');
        raise_param_exc({ nocheck => "Only root may use this option." })
@@ -2883,9 +2900,11 @@ __PACKAGE__->register_method({
 
        my $vmid = extract_param($param, 'vmid');
 
+       my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser, 
"/vms/$vmid", ['SuperUser'], 1);
+
        my $skiplock = extract_param($param, 'skiplock');
-       raise_param_exc({ skiplock => "Only root may use this option." })
-           if $skiplock && $authuser ne 'root@pam';
+       raise_param_exc({ skiplock => "Only superusers may use this option." })
+           if $skiplock && !$is_superuser;
 
        PVE::QemuServer::vm_sendkey($vmid, $skiplock, $param->{key});
 
@@ -4114,9 +4133,11 @@ __PACKAGE__->register_method({
 
        my $sizestr = extract_param($param, 'size');
 
+       my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser, 
"/vms/$vmid", ['SuperUser'], 1);
+
        my $skiplock = extract_param($param, 'skiplock');
-        raise_param_exc({ skiplock => "Only root may use this option." })
-            if $skiplock && $authuser ne 'root@pam';
+        raise_param_exc({ skiplock => "Only superusers may use this option." })
+            if $skiplock && !$is_superuser;
 
         my $storecfg = PVE::Storage::config();
 
-- 
2.30.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to