Create CT - Permission check failed (403)

M

Mr.BlueBear

Active Member
Apr 3, 2018
16
0
41
45
A user is trying to create a CT using the PVE WebUI in a specific Pool (in this case, the pool is called "Dev"). The first error message he got was:
"Permission check failed (/pool/Dev, Permissions.Modify|Pool.Allocate) (403)"

I then added the "PVEPoolAdmin" role to the user on "/pool/Dev", however, now I get a "Permission check failed (403)" with no other hints.

What roles are required for a user to be able to create a CT in a pool ?


PVE version:
proxmox-ve: 6.4-1 (running kernel: 5.4.128-1-pve)
pve-manager: 6.4-13 (running version: 6.4-13/9f411e79)
 
you require at least 'VM.Allocate' rights on the pool (or /vms/VMID) and Datastore.AllocateSpace (on the pool(if the storage is in the pool) or the storage)
 
If that is the case, then there is a bug with the LXC Container create. The user is part of a group which has permissions on the Pool with the built-in role PVEVMAdmin and on the storage with the built-in role PVEDatastoreUser. Both these built-in roles have VM.Allocate and Datastore.AllocateSpace respectively.

So I am at a lost to why the Container creation gets a "Permission check failed (403)"...
 
are there any vmid pre-assigned to the pool? a user creating a ct must have vm.allocate on '/vms/VMID' (e.g. /vms/100) OR on the pool but only if the vmid the user selects is preassigned into the pool
 
No, there are no pre-assigned VMIDs on the pool.

Even after pre-assigning a VMID (e.g. /vms/200) with the proper vm.allocate, I still get a "Permission check failed (/pool/Dev, Permissions.Modify|Pool.Allocate) (403)" because the CT creation process also requires Pool.Allocate, not just vm.allocate.
Once Pool.Allocate is added to the user, it works.

However, giving a user Pool.Allocate on a pool allows him to change permissions for other users/vms on this pool and escalate privileges for any user to a higher level. This is security risk if you just want to allow a user basic access and the possibility to create a CT only.
Also, pre-assigning VMIDs for each user to remember is messy. This will definitely lead to user errors and VM using auto-generated IDs stealing CT pre-assigned IDs.
 
i meant pre assigning a non-existing vmid to a pool. in your scenario, the user tries to modify the pool, which needs 'Pool.Allocate'
also you need Permissions.Modify on the vm, because adding it to a pool changes its permissions
 
Yes. pre-assigning non-existing VMIDs to a pool is what I understood too.

So yes, pre-assigning non-existing VMIDs to a pool and giving the user Permissions.Modify or Pool.Allocate works.
However, if the user deletes the CT, it also deletes the associated permissions. This is a good workflow to delete permissions when the VM or CT is deleted, but it also basically means that once the user runs out of pre-assigned VMIDs to use or deletes the CT, they will need to ask an Admin for more. This doesn't really make the user autonomous.

To me this make using CTs in Proxmox more clunky than VMs as with VMs in a pool, users only need the built-in role PVEVMAdmin (no need for Permissions.Modify or Pool.Allocate) to create a VM.
 
FromageBlue said:
To me this make using CTs in Proxmox more clunky than VMs as with VMs in a pool, users only need the built-in role PVEVMAdmin (no need for Permissions.Modify or Pool.Allocate) to create a VM.
Click to expand...
ok i just reproduced that and it seems like a bug. we removed the permissions modify check for pools on vms ages ago, but did not for containers...
would you mind opening a bug? https://bugzilla.proxmox.com
 
I ended up opening a support ticket with my support subscription.
And yes, the patch for this bug was rolled out in pve-container 4.1-4 some time ago.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom