prevent non hyper-v admin users to execute machine commands

Update GetAll() and GetByVMType() to add a check to prevent non hyper-v admin users to interact with hyperv machines. Users can work with hyperv machines only with elevated rights or if members of the hyperv administrators group Signed-off-by: lstocchi <lstocchi@redhat.com>
2026-03-13 08:01:19 +08:00 · 2025-12-01 16:49:51 +01:00
parent 66bad3d2df
commit 1bd51314ff
2 changed files with 20 additions and 5 deletions
--- a/pkg/machine/hyperv/hutil.go
+++ b/pkg/machine/hyperv/hutil.go
@@ -5,8 +5,9 @@ package hyperv
 import (
 	"errors"

+	"github.com/containers/podman/v6/pkg/machine/windows"
 	"github.com/sirupsen/logrus"
-	"golang.org/x/sys/windows"
+	syswindows "golang.org/x/sys/windows"
 )

 var (
@@ -17,7 +18,7 @@ var (
 )

 func HasHyperVAdminRights() bool {
-	sid, err := windows.CreateWellKnownSid(windows.WinBuiltinHyperVAdminsSid)
+	sid, err := syswindows.CreateWellKnownSid(syswindows.WinBuiltinHyperVAdminsSid)
 	if err != nil {
 		return false
 	}
@@ -27,7 +28,7 @@ func HasHyperVAdminRights() bool {
 	//  token of the calling thread. If the thread is not impersonating,
 	//  the function duplicates the thread's primary token to create an
 	//  impersonation token."
-	token := windows.Token(0)
+	token := syswindows.Token(0)
 	member, err := token.IsMember(sid)
 	if err != nil {
 		logrus.Warnf("Token Membership Error: %s", err)
@@ -36,3 +37,8 @@ func HasHyperVAdminRights() bool {

 	return member
 }
+
+// HasHyperVPermissions checks if the user has either admin rights or Hyper-V admin rights.
+func HasHyperVPermissions() bool {
+	return windows.HasAdminRights() || HasHyperVAdminRights()
+}
--- a/pkg/machine/provider/platform_windows.go
+++ b/pkg/machine/provider/platform_windows.go
@@ -39,6 +39,12 @@ func GetByVMType(resolvedVMType define.VMType) (vmconfigs.VMProvider, error) {
 	case define.WSLVirt:
 		return new(wsl.WSLStubber), nil
 	case define.HyperVVirt:
+		// Check permissions before returning the Hyper-V provider.
+		// Working with Hyper-V requires users to be at least members of the Hyper-V admin group.
+		// Init and remove actions have custom use cases and they are checked on the stubber.
+		if !hyperv.HasHyperVPermissions() {
+			return nil, hyperv.ErrHypervUserNotInAdminGroup
+		}
 		return new(hyperv.HyperVStubber), nil
 	default:
 	}
@@ -46,10 +52,13 @@ func GetByVMType(resolvedVMType define.VMType) (vmconfigs.VMProvider, error) {
 }

 func GetAll() []vmconfigs.VMProvider {
-	return []vmconfigs.VMProvider{
+	providers := []vmconfigs.VMProvider{
 		new(wsl.WSLStubber),
-		new(hyperv.HyperVStubber),
 	}
+	if hyperv.HasHyperVPermissions() {
+		providers = append(providers, new(hyperv.HyperVStubber))
+	}
+	return providers
 }

 // SupportedProviders returns the providers that are supported on the host operating system