User Management Settings - VM.Monitor Privilege

amp88

New Member
Aug 9, 2020
10
4
3
39
Hi all. I'm looking into the user management settings for Proxmox, and I'm really pleased to see such granular access available in managing accounts. I'm only considering using Proxmox in my homelab, but this is a great feature.

I'm trying to apply the old "principle of least privilege" approach, so I've created a limited access account after doing my initial installation, storage, VM, network etc administration on the root account. I read through the user management section of the wiki and used it to assign my limited access account the PVEVMAdmin and PVEAuditor roles, which seems to accomplish most of what I want to do at the moment.

However, one missing permission I'd like to give is the ability to see the IP(s) a running VM/container has associated with it on the 'Summary' page. When I view the summary page I get the "Requires 'VM.Monitor' Privileges" message (another great feature; actually telling the user which privilege they lack in order to do what they want!). So, the obvious answer is to assign the VM.Monitor privilege to my limited access user, but therein lies my question: what rights does that privilege actually grant?

I've tried to search for information about what the practical implications and permissions the VM.Monitor privilege actually gives to a user who's assigned it, but I haven't been able to find anything. All I can seem to find is a simple description of "VM.Monitor: access to VM monitor (kvm)" on the user management wiki page and the pveum docs/man page.

I'd welcome any help or input about what granting the VM.Monitor actually entails for user privileges (i.e. what it allows the user to do; can they make any changes to the kvm process, or is it a read-only privilege). Thanks.
 
VM.Monitor grants a user access to the so-called KVM monitor. This is a QEMU feature, where human readable commands can be issued to query and modify the current VM state. You can access it via the "Monitor" tab in the GUI when a VM is selected.

However, VM.Monitor only grants read-only access, that is, only certain commands are allowed, unless the user also has Sys.Modify rights (on /). The following commands are allowed:
  • help
  • info
  • guest agent commands
The last one is what allows the IPs to be displayed. It is assumed that anyone with VM.Monitor permissions also has access to the OS within the VM, so guest agent commands (even modifying ones) can't do any harm (to PVE, you can still mess up whatever runs within the VM of course).

Hope that helps :)
 
  • Like
Reactions: amp88
VM.Monitor grants a user access to the so-called KVM monitor. This is a QEMU feature, where human readable commands can be issued to query and modify the current VM state. You can access it via the "Monitor" tab in the GUI when a VM is selected.

However, VM.Monitor only grants read-only access, that is, only certain commands are allowed, unless the user also has Sys.Modify rights (on /). The following commands are allowed:
  • help
  • info
  • guest agent commands
The last one is what allows the IPs to be displayed. It is assumed that anyone with VM.Monitor permissions also has access to the OS within the VM, so guest agent commands (even modifying ones) can't do any harm (to PVE, you can still mess up whatever runs within the VM of course).

Hope that helps :)
Thanks for the explanation.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!