Why we need root to do some operation?

[languanghao]

When set qemu's 'arg' option, the system will notice me "only root can set 'arg' config".

For some reason , I can not give user the root password, but the opertion user has the role 'Administrator'.

I tried to change the file '/usr/share/perl5/PVE/API2/Qemu.pm', and edit the code:

$rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Memory']);
#      } elsif ($opt eq 'args' || $opt eq 'lock') {
#          die "only root can set '$opt' config\n";
        } elsif ($opt eq 'cpu' || $opt eq 'kvm' || $opt eq 'acpi' || $opt eq 'machine' ||
                 $opt eq 'vga' || $opt eq 'watchdog' || $opt eq 'tablet' || $opt eq 'smbios1') {

After this, the user can set the 'args' operation in the web.

So, why here check permission ?

If I change the code, will it cause some issues?

Is the user root in the web, is the real Linux user 'root'?

Also, the wiki https://pve.proxmox.com/wiki/Proxmox_Cluster_file_system_(pmxcfs) confused me.

All files/dirs are owned by user 'root' and have group 'www-data'. Only root has write permissions, but group 'www-data' can read most files. Files below the following paths:

In my opinion the web processes run under user: www-data, but from above, it seems like the web processes run under user root?

 

[languanghao]

Could anybody help me?

 

[dietmar]

One can do dangerous things with the 'args' setting. That is why we restricted that to root only.

 

[languanghao]

One can do dangerous things with the 'args' setting. That is why we restricted that to root only.

Thank you for reply.

So, is the pve-manager process run under the Linux user 'root' ?

 

[dietmar]

So, is the pve-manager process run under the Linux user 'root' ?

There is no "pve-manager" process.

 

[languanghao]

Sorry, I made a mistake.

The project PVE-Manager has a web gui, when I set the 'Args' setting, the perl code will write something to the file. But the files in the dir '/etc/pve/nodes' which only root can write.

So, my question is, the web is running by www-data, why i remove the 'permission check' code, it still can write into the file in the dir '/etc/pve/nodes' ?

 

[dietmar]

So, my question is, the web is running by www-data

The web (pveproxy) runs as www-data. But there are other daemons (pvedaemon) involved, which run as root.

 

[scornelissen]

I think this issue still exists? I have a use case by setting CPU args by using the `args` option. I'm using this as I will set more options that the `cpu` flags allowed me to set. I'm using automation to create a template and part of this creation is setting these CPU args. I won't give root credentials to my automation process but I would like to allow my automation to set these CPU args.

Is this still going te be changed? Will it be possible to set more CPU flags directly from the CPU option? Or would it be possible to set args as non-root user?

Sorry for kicking an old thread.

 

[fabian]

args will always remain root only. did you check out the custom CPU model feature? it might allow you to define a CPU type that contains all the settings you need, and then you can reference that when creating a VM.

 

[scornelissen]

I'm settings these flags:

+3dnowprefetch,+abm,+adx,+aes,+arat,+avx,+avx2,+bmi1,+bmi2,+f16c,+fma,+lahf_lm,+movbe,+pclmulqdq,+popcnt,+rdrand,+rdseed,+rdtscp,+sep,+smap,+smep,+sse4.1,+sse4.2,+ssse3,+xsave,+xsaveopt,+kvm_pv_eoi

Which is way more than the Proxmox VE API allowed me to set as a flag. See also this thread: https://forum.proxmox.com/threads/l...-intel-xeon-and-amd-epyc2-linux-guests.68663/. For our situation it means with this settings we can live migrate our VM's from Intel to AMD and vice versa.

 

[fabian]

like I said - please check out the custom CPU models (man cpu-models.conf)