[pve-devel] [PATCH manager] fix #2771: relax cert API endpoints permissions

Wed, 17 Jun 2020 02:43:22 -0700 

allow users with Sys.Modify to modify custom or ACME certificates. those
users can already hose the system in plenty of ways, no reason to
restrict this in particular to being root@pam only.

Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com>
---
 PVE/API2/ACME.pm         | 9 +++++++++
 PVE/API2/Certificates.pm | 6 ++++++
 2 files changed, 15 insertions(+)

diff --git a/PVE/API2/ACME.pm b/PVE/API2/ACME.pm
index c7d6e7e9..0decfb4a 100644
--- a/PVE/API2/ACME.pm
+++ b/PVE/API2/ACME.pm
@@ -158,6 +158,9 @@ __PACKAGE__->register_method ({
     name => 'new_certificate',
     path => 'certificate',
     method => 'POST',
+    permissions => {
+       check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+    },
     description => "Order a new certificate from ACME-compatible CA.",
     protected => 1,
     proxyto => 'node',
@@ -226,6 +229,9 @@ __PACKAGE__->register_method ({
     name => 'renew_certificate',
     path => 'certificate',
     method => 'PUT',
+    permissions => {
+       check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+    },
     description => "Renew existing certificate from CA.",
     protected => 1,
     proxyto => 'node',
@@ -303,6 +309,9 @@ __PACKAGE__->register_method ({
     name => 'revoke_certificate',
     path => 'certificate',
     method => 'DELETE',
+    permissions => {
+       check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+    },
     description => "Revoke existing certificate from CA.",
     protected => 1,
     proxyto => 'node',
diff --git a/PVE/API2/Certificates.pm b/PVE/API2/Certificates.pm
index fd75ba85..d22e203e 100644
--- a/PVE/API2/Certificates.pm
+++ b/PVE/API2/Certificates.pm
@@ -91,6 +91,9 @@ __PACKAGE__->register_method ({
     name => 'upload_custom_cert',
     path => 'custom',
     method => 'POST',
+    permissions => {
+       check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+    },
     description => 'Upload or update custom certificate chain and key.',
     protected => 1,
     proxyto => 'node',
@@ -163,6 +166,9 @@ __PACKAGE__->register_method ({
     name => 'remove_custom_cert',
     path => 'custom',
     method => 'DELETE',
+    permissions => {
+       check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+    },
     description => 'DELETE custom certificate chain and key.',
     protected => 1,
     proxyto => 'node',
-- 
2.20.1


_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to