[pve-devel] [PATCH qemu-server] restrict monitor API call to Sys.Modify

Fabian Grünbichler f.gruenbichler at proxmox.com
Fri Nov 4 09:42:17 CET 2016


because this allows adding arbitrary devices to VMs (and
other potentially dangerous things)
---
 PVE/API2/Qemu.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 34a5d5d..e6fbb1b 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -2775,7 +2775,7 @@ __PACKAGE__->register_method({
     proxyto => 'node',
     description => "Execute Qemu monitor commands.",
     permissions => {
-	check => ['perm', '/vms/{vmid}', [ 'VM.Monitor' ]],
+	check => ['perm', '/', [ 'Sys.Modify' ]],
     },
     parameters => {
     	additionalProperties => 0,
-- 
2.1.4





More information about the pve-devel mailing list