From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 41F561FF146 for ; Tue, 23 Jun 2026 14:03:56 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 2184F33067; Tue, 23 Jun 2026 14:03:56 +0200 (CEST) From: Shan Shaji To: pdm-devel@lists.proxmox.com Subject: [PATCH datacenter-manager v2] fix: api: allow non-pam users to access shell Date: Tue, 23 Jun 2026 14:03:14 +0200 Message-ID: <20260623120314.305942-1-s.shaji@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1782216191980 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.148 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: Y6QLGLXVZJF23VOOS2TLS3354YXGYM5D X-Message-ID-Hash: Y6QLGLXVZJF23VOOS2TLS3354YXGYM5D X-MailFrom: s.shaji@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Datacenter Manager development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Remove the explicit restriction that only pam users can access the shell. This is safe to do, as all users that are not root@pam will be shown with a login shell. So they need to have some (PAM) login credentials available. This changes is useful for setups where a host integrates with central authentication systems (e.g. LDAP or Active Directory) either as a PDM realm or as a PAM plugin. It also allows environments that favor non-pam users for PDM by default, but still want to keep PAM accounts available for admnistrators. Reference: pve-manager commit (7914f5e7b) and proxmox-backup commit (c77dfaf31), these commits are already applied for PVE and PBS. Signed-off-by: Shan Shaji --- changes since v1: Thanks @Dominik - Mention the need of valid PAM credentials inorder to access the console. server/src/api/nodes/termproxy.rs | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/server/src/api/nodes/termproxy.rs b/server/src/api/nodes/termproxy.rs index 71e4845b..7e7f1f1b 100644 --- a/server/src/api/nodes/termproxy.rs +++ b/server/src/api/nodes/termproxy.rs @@ -63,7 +63,9 @@ pub const SHELL_CMD_SCHEMA: Schema = StringSchema::new("The command to run.") } }, access: { - description: "Restricted to users on realm 'pam'", + description: "The user requires `Sys.Console` privilege on `/system`. + All users who are not root@pam will have a login shell, so the user + must possess PAM login credentials.", permission: &Permission::Privilege(&["system"], PRIV_SYS_CONSOLE, false), } )] @@ -81,10 +83,6 @@ async fn termproxy(cmd: Option, rpcenv: &mut dyn RpcEnvironment) -> Resu let userid = auth_id.user(); - if userid.realm() != "pam" { - bail!("only pam users can use the console"); - } - let path = "/system"; // use port 0 and let the kernel decide which port is free -- 2.47.3