From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 81B4E1FF191 for ; Tue, 7 Oct 2025 16:30:33 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 4C61A1A902; Tue, 7 Oct 2025 16:30:37 +0200 (CEST) Message-ID: Date: Tue, 7 Oct 2025 16:30:34 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Beta To: Proxmox Backup Server development discussion , Shan Shaji References: <20250915125753.281895-1-s.shaji@proxmox.com> Content-Language: en-US From: Thomas Lamprecht In-Reply-To: <20250915125753.281895-1-s.shaji@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1759847404958 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.025 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pbs-devel] [PATCH proxmox-backup] fix #6398: api: allow non-pam users to access shell X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" Am 15.09.25 um 14:58 schrieb Shan Shaji: > Right now PBS is not allowing users to access the shell if the user > is not a pam user even though the `Sys.Console` permission is > already given. To fix the issue removed the palm realm check. This is a explicit and dedicated check, it might not be warranted, but it might as well exist for a reason, so removing such explicit limitations really need to argue about that in the commit message. Here it would be probably enough to write that this is safe to do as all users that are not root@pam will get a login shell anyway, so they need to have some (PAM) login credentials available. This makes sense to have as e.g. a host could be use a central authentication system like LDAP/AD or OIDC as PBS realm and as PAM plugin. Or just favor using a non-pam user by default for PBS but still provide credentials to a administrative PAM user to their admins. Another argument to make is referencing pve-manager's commit 7914f5e7b ("node console: allow usage for non-pam realms"), which already implemented exactly this change for PVE (albeit also not with spelling out actual arguments for doing so) _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel