From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 38DC21FF146 for ; Tue, 23 Jun 2026 13:03:36 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 942CE316F8; Tue, 23 Jun 2026 13:03:35 +0200 (CEST) Message-ID: <74a0092b-5c16-41d0-99fc-c206c454bbe0@proxmox.com> Date: Tue, 23 Jun 2026 13:03:30 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Beta Subject: Re: [pdm-devel] [PATCH datacenter-manager] fix: api: allow non-pam users to access shell To: Proxmox Datacenter Manager development discussion , Shan Shaji References: <20251008140943.300897-1-s.shaji@proxmox.com> Content-Language: en-US From: Dominik Csapak In-Reply-To: <20251008140943.300897-1-s.shaji@proxmox.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1782212600257 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.049 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [termproxy.rs] Message-ID-Hash: DXENDNTJZERULXIULO3PKM2OAZKKVIO7 X-Message-ID-Hash: DXENDNTJZERULXIULO3PKM2OAZKKVIO7 X-MailFrom: d.csapak@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Datacenter Manager development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: see my one comment inline Aside from that Reviewed-by: Dominik Csapak On 10/8/25 4:09 PM, Shan Shaji wrote: > Remove the explicit restriction that only pam users can access the > shell. This is safe to do, as all users that are not root@pam will > be shown with a login shell. So they need to have some (PAM) login > credentials available. > > This changes is useful for setups where a host integrates with central > authentication systems (e.g. LDAP or Active Directory) either as a PDM > realm or as a PAM plugin. It also allows environments that favor > non-pam users for PDM by default, but still want to keep PAM > accounts available for admnistrators. > > Reference: pve-manager commit (7914f5e7b) and proxmox-backup commit > (c77dfaf31), these commits are already applied for PVE and PBS. > > Signed-off-by: Shan Shaji > --- > server/src/api/nodes/termproxy.rs | 6 +----- > 1 file changed, 1 insertion(+), 5 deletions(-) > > diff --git a/server/src/api/nodes/termproxy.rs b/server/src/api/nodes/termproxy.rs > index 8d7c1ff..3f689ef 100644 > --- a/server/src/api/nodes/termproxy.rs > +++ b/server/src/api/nodes/termproxy.rs > @@ -63,7 +63,7 @@ pub const SHELL_CMD_SCHEMA: Schema = StringSchema::new("The command to run.") > } > }, > access: { > - description: "Restricted to users on realm 'pam'", > + description: "The user needs `Sys.Console` privilege on `/system`", while this is technically true for the api call, I'd still explicitely explain here that the user needs to have pam credentials, else some will be confused why they can't access the shell as their non-pam users. > permission: &Permission::Privilege(&["system"], PRIV_SYS_CONSOLE, false), > } > )] > @@ -81,10 +81,6 @@ async fn termproxy(cmd: Option, rpcenv: &mut dyn RpcEnvironment) -> Resu > > let userid = auth_id.user(); > > - if userid.realm() != "pam" { > - bail!("only pam users can use the console"); > - } > - > let path = "/system"; > > // use port 0 and let the kernel decide which port is free