From: Oguz Bektas <o.bektas@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH v3 manager 11/17] api: always show login prompt for non-root users on terminal proxy calls
Date: Wed, 6 Apr 2022 13:57:28 +0200 [thread overview]
Message-ID: <20220406115734.898714-12-o.bektas@proxmox.com> (raw)
In-Reply-To: <20220406115734.898714-1-o.bektas@proxmox.com>
we have a SU privilege now, but we still drop to a login prompt on our
spice/vnc/termproxy for such users.
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
---
v2->v3:
* limit non-root users to 'login' shellcmd on vncproxy, termproxy and spiceproxy
PVE/API2/Nodes.pm | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/PVE/API2/Nodes.pm b/PVE/API2/Nodes.pm
index 655493a3..52dae854 100644
--- a/PVE/API2/Nodes.pm
+++ b/PVE/API2/Nodes.pm
@@ -870,7 +870,7 @@ sub get_shell_command {
$cmd = [ '/bin/login', '-f', 'root' ];
}
} else {
- # non-root must always login for now, we do not have a superuser role!
+ # non-root must always login, even with SU privilege
$cmd = [ '/bin/login' ];
}
return $cmd;
@@ -960,7 +960,7 @@ __PACKAGE__->register_method ({
raise_perm_exc("realm != pam") if $realm ne 'pam';
- if (defined($param->{cmd}) && $param->{cmd} eq 'upgrade' && $user ne 'root@pam') {
+ if (defined($param->{cmd}) && $param->{cmd} eq 'login' && $user ne 'root@pam') {
raise_perm_exc('user != root@pam');
}
@@ -1077,8 +1077,13 @@ __PACKAGE__->register_method ({
my $rpcenv = PVE::RPCEnvironment::get();
my ($user, undef, $realm) = PVE::AccessControl::verify_username($rpcenv->get_user());
+
raise_perm_exc("realm $realm != pam") if $realm ne 'pam';
+ if (defined($param->{cmd}) && $param->{cmd} eq 'login' && $user ne 'root@pam') {
+ raise_perm_exc('user != root@pam');
+ }
+
my $node = $param->{node};
my $authpath = "/nodes/$node";
my $ticket = PVE::AccessControl::assemble_vnc_ticket($user, $authpath);
@@ -1208,7 +1213,7 @@ __PACKAGE__->register_method ({
raise_perm_exc("realm != pam") if $realm ne 'pam';
- if (defined($param->{cmd}) && $param->{cmd} eq 'upgrade' && $user ne 'root@pam') {
+ if (defined($param->{cmd}) && $param->{cmd} eq 'login' && $user ne 'root@pam') {
raise_perm_exc('user != root@pam');
}
--
2.30.2
next prev parent reply other threads:[~2022-04-06 11:58 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-06 11:57 [pve-devel] [PATCH v3 access-control++ 00/17] SuperUser privilege Oguz Bektas
2022-04-06 11:57 ` [pve-devel] [PATCH v3 access-control 01/17] add "SuperAdministrator" role with the new "SuperUser" privilege Oguz Bektas
2022-04-06 11:57 ` [pve-devel] [PATCH v3 access-control 02/17] RPC env: add SuperUser API permission for GUI capabilities Oguz Bektas
2022-04-06 11:57 ` [pve-devel] [PATCH v3 access-control 03/17] api: acl: only allow granting SU privilege if user already has it Oguz Bektas
2022-04-06 11:57 ` [pve-devel] [PATCH v3 access-control 04/17] api: roles: only allow modifying roles to add/remove SU if user has SU themselves Oguz Bektas
2022-04-06 11:57 ` [pve-devel] [PATCH v3 access-control 05/17] api: allow superusers to edit tfa and password settings Oguz Bektas
2022-04-06 11:57 ` [pve-devel] [PATCH v3 qemu-server 06/17] api: allow SU privileged users to edit root-only options for VM configs Oguz Bektas
2022-04-06 11:57 ` [pve-devel] [PATCH v3 qemu-server 07/17] migration tests: mock $rpcenv->check subroutine Oguz Bektas
2022-04-06 11:57 ` [pve-devel] [PATCH v3 qemu-server 08/17] api: allow superusers to use 'skiplock' option Oguz Bektas
2022-04-06 11:57 ` [pve-devel] [PATCH v3 manager 09/17] api: backup: allow SUs to use 'tmpdir', 'dumpdir' and 'script' options Oguz Bektas
2022-04-06 11:57 ` [pve-devel] [PATCH v3 manager 10/17] api: vzdump: allow SUs to use 'bwlimit' and 'ionice' parameters Oguz Bektas
2022-04-06 11:57 ` Oguz Bektas [this message]
2022-04-06 11:57 ` [pve-devel] [PATCH v3 manager 12/17] ui: include "SuperUser" in privilege selector Oguz Bektas
2022-04-06 11:57 ` [pve-devel] [PATCH v3 manager 13/17] ui: lxc features: check for SU instead of 'root@pam' Oguz Bektas
2022-04-06 11:57 ` [pve-devel] [PATCH v3 manager 14/17] ui: adapt sensible 'root@pam' checks to SU Oguz Bektas
2022-04-06 11:57 ` [pve-devel] [PATCH v3 container 15/17] fix #2582: api: add checks for 'SuperUser' privilege for root-only options Oguz Bektas
2022-04-06 11:57 ` [pve-devel] [PATCH v3 storage 16/17] check_volume_access: allow superusers to pass arbitrary fs paths Oguz Bektas
2022-04-06 11:57 ` [pve-devel] [PATCH v3 docs 17/17] pveum: add SU privilege and SA role Oguz Bektas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220406115734.898714-12-o.bektas@proxmox.com \
--to=o.bektas@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.