[pve-devel] firewall permissions / network permissions
VELARTIS Philipp Dürhammer
p.duerhammer at velartis.at
Thu Oct 20 16:05:04 CEST 2016
I was checking also in the forum and seems that other users miss this too.
Shouldn't it be better to distinguish between firewall and network config?
Actually even all firewall config like on/off an ip/mac filter should be placed in different priviledges.
Only für giving a user the permission to change some firewall rules- to give him permission to change all network stuff seems dangerouse to me.
A firewall change is simple sysadmin task. But in worst case a user can deaktivate the ip/mac spoofing or connect to another bridge.
In our case we have some windows vms to mange the cluster and network. They have access to another bridge which is connected to the internal network. Any user who needs the right to simply change some firewall rules can add or change the network device to that bridge. Thats a big security problem.
Is very difficult to add new priviledges?
Best regards
philipp
More information about the pve-devel
mailing list