Why does downloading image to storage from an URL require Sys.Audit/Sys.Modify permissions?

jkonieczny

Member
Jan 30, 2020
10
0
6
48
I have mentioned problems with image upload via API in another thread. As a workaround I tried to use the 'download from URL' feature, but it seems unavailable for our operators. The API documentation for 'download-url' says it requires 'Sys.Audit' and 'Sys.Modify' permissions for / in addition to the more obvious Datastore.AllocateTemplate permission to a given /storage/{storage}.

Why is that? This is quite limiting.
 
Thank you, the reasons are clear now. Though, this solution makes usability of this feature quite limited. Not everybody who needs to upload an image also needs network configuration permissions.

Other software solves similar problem by blocking access to 'internal' networks (private IP ranges) except white-listed domains.
 
that's far from complete though - e.g., internal vs. external DNS resolution, firewall rules, ..
 
I still don`t understand why I need to give out Sys.Config to have the node download an iso to it`s datastore.
There`s:
  • Datastore.AllocateTemplate: allocate/upload templates and ISO images
And you don't need the power to modify the host network to do that task afaik... can someone try to explain it in more details please?
Thanks
 
I still don`t understand why I need to give out Sys.Config to have the node download an iso to it`s datastore.
There`s:
  • Datastore.AllocateTemplate: allocate/upload templates and ISO images
And you don't need the power to modify the host network to do that task afaik... can someone try to explain it in more details please?
Thanks
the issue is that if you can download arbitrary URLs, you can use that to enumerate hosts and services and do other shenanigans by basically using the PVE API service as proxy - so that part requires higher privileges than uploading a file.