Signed-off-by: Oguz Bektas <o.bek...@proxmox.com>
---
PVE/Storage.pm | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/PVE/Storage.pm b/PVE/Storage.pm
index b1d31bb..762933f 100755
--- a/PVE/Storage.pm
+++ b/PVE/Storage.pm
@@ -467,6 +467,11 @@ sub parse_volume_id {
sub check_volume_access {
my ($rpcenv, $user, $cfg, $vmid, $volid) = @_;
+ return if $user eq 'root@pam'; # root@pam always OK
+
+ # SU on "/" are needed for passing arbitrary filesystem paths
+ my $is_superuser = $rpcenv->check($user, "/", ['SuperUser'], 1);
+
my ($sid, $volname) = parse_volume_id($volid, 1);
if ($sid) {
my ($vtype, undef, $ownervm) = parse_volname($cfg, $volid);
@@ -483,8 +488,8 @@ sub check_volume_access {
$rpcenv->check($user, "/storage/$sid", ['Datastore.Allocate']);
}
} else {
- die "Only root can pass arbitrary filesystem paths."
- if $user ne 'root@pam';
+ die "Only superusers can pass arbitrary filesystem paths."
+ if !$is_superuser;
}
return undef;
--
2.30.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
