use reasonable acl paths

src/api2/node/dns.rs

@@ -111,7 +111,7 @@ pub fn read_etc_resolv_conf() -> Result<Value, Error> {
         },
     },
     access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+        permission: &Permission::Privilege(&["system", "network", "dns"], PRIV_SYS_MODIFY, false),
     }
 )]
 /// Update DNS settings
@@ -206,7 +206,7 @@ pub fn update_dns(
         },
     },
     access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false),
+        permission: &Permission::Privilege(&["system", "network", "dns"], PRIV_SYS_AUDIT, false),
     }
 )]
 /// Read DNS settings.

src/api2/node/journal.rs

@@ -55,7 +55,7 @@ use crate::config::acl::PRIV_SYS_AUDIT;
         },
     },
     access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false),
+        permission: &Permission::Privilege(&["system", "log"], PRIV_SYS_AUDIT, false),
     },
 )]
 /// Read syslog entries.

src/api2/node/network.rs

@@ -24,7 +24,7 @@ use crate::api2::types::*;
         },
     },
     access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false),
+        permission: &Permission::Privilege(&["system", "network", "interfaces"], PRIV_SYS_AUDIT, false),
     },
 )]
 /// List all datastores
@@ -69,7 +69,7 @@ pub fn list_network_devices(
         type: Interface,
     },
     access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false),
+        permission: &Permission::Privilege(&["system", "network", "interfaces", "{name}"], PRIV_SYS_AUDIT, false),
     },
 )]
 /// Read a network interface configuration.
@@ -188,7 +188,7 @@ pub enum DeletableProperty {
         },
     },
     access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+        permission: &Permission::Privilege(&["system", "network", "interfaces", "{name}"], PRIV_SYS_MODIFY, false),
     },
 )]
 /// Update network interface config.
@@ -306,7 +306,7 @@ pub fn update_interface(
         },
     },
     access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+        permission: &Permission::Privilege(&["system", "network", "interfaces", "{name}"], PRIV_SYS_MODIFY, false),
     },
 )]
 /// Remove network interface configuration.
@@ -339,7 +339,7 @@ pub fn delete_interface(name: String, digest: Option<String>) -> Result<(), Erro
         },
     },
     access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+        permission: &Permission::Privilege(&["system", "network", "interfaces"], PRIV_SYS_MODIFY, false),
     },
 )]
 /// Reload network configuration (requires ifupdown2).
@@ -363,7 +363,7 @@ pub fn reload_network_config() -> Result<(), Error> {
         },
     },
     access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+        permission: &Permission::Privilege(&["system", "network", "interfaces"], PRIV_SYS_MODIFY, false),
     },
 )]
 /// Revert network configuration (rm /etc/network/interfaces.new).

src/api2/node/services.rs

@@ -124,7 +124,7 @@ fn json_service_state(service: &str, status: Value) -> Value {
         },
     },
     access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false),
+        permission: &Permission::Privilege(&["system", "services"], PRIV_SYS_AUDIT, false),
     },
 )]
 /// Service list.
@@ -161,7 +161,7 @@ fn list_services(
         },
     },
     access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false),
+        permission: &Permission::Privilege(&["system", "services", "{service}"], PRIV_SYS_AUDIT, false),
     },
 )]
 /// Read service properties.
@@ -220,7 +220,7 @@ fn run_service_command(service: &str, cmd: &str) -> Result<Value, Error> {
         },
     },
     access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+        permission: &Permission::Privilege(&["system", "services", "{service}"], PRIV_SYS_MODIFY, false),
     },
 )]
 /// Start service.
@@ -247,7 +247,7 @@ fn start_service(
         },
     },
     access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+        permission: &Permission::Privilege(&["system", "services", "{service}"], PRIV_SYS_MODIFY, false),
     },
 )]
 /// Stop service.
@@ -274,7 +274,7 @@ fn stop_service(
         },
     },
     access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+        permission: &Permission::Privilege(&["system", "services", "{service}"], PRIV_SYS_MODIFY, false),
     },
 )]
 /// Retart service.
@@ -306,7 +306,7 @@ fn restart_service(
         },
     },
     access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+        permission: &Permission::Privilege(&["system", "services", "{service}"], PRIV_SYS_MODIFY, false),
     },
 )]
 /// Reload service.

src/api2/node/syslog.rs

@@ -124,7 +124,7 @@ fn dump_journal(
         },
     },
     access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false),
+        permission: &Permission::Privilege(&["system", "log"], PRIV_SYS_AUDIT, false),
     },
 )]
 /// Read syslog entries.

src/api2/node/time.rs

@@ -7,6 +7,7 @@ use serde_json::{json, Value};
 use proxmox::api::{api, Router, Permission};
 use proxmox::tools::fs::{file_read_firstline, replace_file, CreateOptions};
 
+use crate::config::acl::PRIV_SYS_MODIFY;
 use crate::api2::types::*;
 
 fn read_etc_localtime() -> Result<String, Error> {
@@ -96,6 +97,9 @@ fn get_time(_param: Value) -> Result<Value, Error> {
             },
         },
     },
+    access: {
+        permission: &Permission::Privilege(&["system", "time"], PRIV_SYS_MODIFY, false),
+    },
 )]
 /// Set time zone
 fn set_timezone(