tyler/proxmox-backup
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

sync job: don't require privs on datastore

Browse Source 
syncing to a namespace only requires privileges on the namespace (and
potentially its children during execution).

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler
2022-05-24 14:58:47 +02:00
committed by Thomas Lamprecht
parent 4a4dd66c26
commit 83e3000349
2 changed files with 18 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
src/api2/config/sync.rs
View File

@ -20,18 +20,11 @@ pub fn check_sync_job_read_access(
auth_id: &Authid,
job: &SyncJobConfig,
) -> bool {
let datastore_privs = user_info.lookup_privs(auth_id, &["datastore", &job.store]);
if datastore_privs & PRIV_DATASTORE_AUDIT == 0 {
let ns_anchor_privs = user_info.lookup_privs(auth_id, &job.store_with_ns().acl_path());
if ns_anchor_privs & PRIV_DATASTORE_AUDIT == 0 {
return false;
}
if let Some(ref ns) = job.ns {
let ns_privs = user_info.lookup_privs(auth_id, &["datastore", &job.store, &ns.to_string()]);
if ns_privs & PRIV_DATASTORE_AUDIT == 0 {
return false;
}
}
let remote_privs = user_info.lookup_privs(auth_id, &["remote", &job.remote]);
remote_privs & PRIV_REMOTE_AUDIT != 0
}
@ -45,20 +38,13 @@ pub fn check_sync_job_modify_access(
auth_id: &Authid,
job: &SyncJobConfig,
) -> bool {
let datastore_privs = user_info.lookup_privs(auth_id, &["datastore", &job.store]);
if datastore_privs & PRIV_DATASTORE_BACKUP == 0 {
let ns_anchor_privs = user_info.lookup_privs(auth_id, &job.store_with_ns().acl_path());
if ns_anchor_privs & PRIV_DATASTORE_BACKUP == 0 {
return false;
}
if let Some(ref ns) = job.ns {
let ns_privs = user_info.lookup_privs(auth_id, &["datastore", &job.store, &ns.to_string()]);
if ns_privs & PRIV_DATASTORE_BACKUP == 0 {
return false;
}
}
if let Some(true) = job.remove_vanished {
if datastore_privs & PRIV_DATASTORE_PRUNE == 0 {
if ns_anchor_privs & PRIV_DATASTORE_PRUNE == 0 {
return false;
}
}
@ -73,7 +59,7 @@ pub fn check_sync_job_modify_access(
};
// same permission as changing ownership after syncing
if !correct_owner && datastore_privs & PRIV_DATASTORE_MODIFY == 0 {
if !correct_owner && ns_anchor_privs & PRIV_DATASTORE_MODIFY == 0 {
return false;
}