Why does downloading image to storage from an URL require Sys.Audit/Sys.Modify permissions?

J

jkonieczny

Member
Jan 30, 2020
10
0
6
47
I have mentioned problems with image upload via API in another thread. As a workaround I tried to use the 'download from URL' feature, but it seems unavailable for our operators. The API documentation for 'download-url' says it requires 'Sys.Audit' and 'Sys.Modify' permissions for / in addition to the more obvious Datastore.AllocateTemplate permission to a given /storage/{storage}.

Why is that? This is quite limiting.
 
Thank you, the reasons are clear now. Though, this solution makes usability of this feature quite limited. Not everybody who needs to upload an image also needs network configuration permissions.

Other software solves similar problem by blocking access to 'internal' networks (private IP ranges) except white-listed domains.
 
that's far from complete though - e.g., internal vs. external DNS resolution, firewall rules, ..
 
I still don`t understand why I need to give out Sys.Config to have the node download an iso to it`s datastore.
There`s:
  • Datastore.AllocateTemplate: allocate/upload templates and ISO images
And you don't need the power to modify the host network to do that task afaik... can someone try to explain it in more details please?
Thanks
 
Robert.H said:
I still don`t understand why I need to give out Sys.Config to have the node download an iso to it`s datastore.
There`s:
  • Datastore.AllocateTemplate: allocate/upload templates and ISO images
And you don't need the power to modify the host network to do that task afaik... can someone try to explain it in more details please?
Thanks
Click to expand...
the issue is that if you can download arbitrary URLs, you can use that to enumerate hosts and services and do other shenanigans by basically using the PVE API service as proxy - so that part requires higher privileges than uploading a file.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom