Re: [pve-devel] [PATCH v2 manager 06/12] api: update comment about login prompt for non-root users

From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH v2 manager 06/12] api: update comment about login prompt for non-root users
Date: Thu, 17 Mar 2022 13:33:25 +0100	[thread overview]
Message-ID: <1647520117.0647nzhqq2.astroid@nora.none> (raw)
In-Reply-To: <20220311112504.595964-7-o.bektas@proxmox.com>

On March 11, 2022 12:24 pm, Oguz Bektas wrote:
> we have a SU privilege now, but we still drop to a login prompt for such
> users.
> 
> Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
> ---
>  PVE/API2/Nodes.pm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/PVE/API2/Nodes.pm b/PVE/API2/Nodes.pm
> index 655493a3..0c3de231 100644
> --- a/PVE/API2/Nodes.pm
> +++ b/PVE/API2/Nodes.pm
> @@ -870,7 +870,7 @@ sub get_shell_command  {
>  	    $cmd = [ '/bin/login', '-f', 'root' ];
>  	}
>      } else {
> -	# non-root must always login for now, we do not have a superuser role!
> +	# non-root must always login, even with SU privilege

it would be nicer to check this early on as well with a proper error 
message - all of temrproxy, vncshell, spiceshell allow passing in a cmd 
('login', 'upgrade', or 'ceph_install'), and only 'upgrade' is checked 
there for being root@pam only. so if a user calls those with 
'ceph_install', they'd be dropped in a login prompt instead without any 
indication why..

>  	$cmd = [ '/bin/login' ];
>      }
>      return $cmd;
> -- 
> 2.30.2
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 