* [pbs-devel] [PATCH proxmox-backup v2] fix #6398: api: allow non-pam users to access shell
@ 2025-10-08 10:47 Shan Shaji
2025-10-08 11:13 ` [pbs-devel] applied: " Thomas Lamprecht
0 siblings, 1 reply; 2+ messages in thread
From: Shan Shaji @ 2025-10-08 10:47 UTC (permalink / raw)
To: pbs-devel; +Cc: Shan Shaji
Remove the explicit restriction that only pam users can access the
shell. This is safe to do, as all users that are not root@pam will
be shown with a login shell. So they need to have some (PAM) login
credentials available.
This change is useful for setups where a host integrates with central
authentication systems (e.g. LDAP, Active Directory, or OIDC), either
as a PBS realm or as a PAM plugin. It also allows environments that
favor non-pam users for PBS by default, but still want to keep PAM
accounts available for admnistrators.
Reference: pve-manager commit 7914f5e7b ("node console: allow usage
for non-pam realms), which already applied the same change for PVE.
Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
---
changes since v1: Thanks @Thomas
- Updated commit message with more details.
src/api2/node/mod.rs | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/src/api2/node/mod.rs b/src/api2/node/mod.rs
index e7c6213c..34d4fb77 100644
--- a/src/api2/node/mod.rs
+++ b/src/api2/node/mod.rs
@@ -92,7 +92,7 @@ pub const SHELL_CMD_SCHEMA: Schema = StringSchema::new("The command to run.")
}
},
access: {
- description: "Restricted to users on realm 'pam'",
+ description: "The user needs Sys.Console on /system.",
permission: &Permission::Privilege(&["system"], PRIV_SYS_CONSOLE, false),
}
)]
@@ -110,10 +110,6 @@ async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Resu
let userid = auth_id.user();
- if userid.realm() != "pam" {
- bail!("only pam users can use the console");
- }
-
let path = "/system";
// use port 0 and let the kernel decide which port is free
--
2.47.3
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
* [pbs-devel] applied: [PATCH proxmox-backup v2] fix #6398: api: allow non-pam users to access shell
2025-10-08 10:47 [pbs-devel] [PATCH proxmox-backup v2] fix #6398: api: allow non-pam users to access shell Shan Shaji
@ 2025-10-08 11:13 ` Thomas Lamprecht
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2025-10-08 11:13 UTC (permalink / raw)
To: pbs-devel, Shan Shaji
On Wed, 08 Oct 2025 12:47:11 +0200, Shan Shaji wrote:
> Remove the explicit restriction that only pam users can access the
> shell. This is safe to do, as all users that are not root@pam will
> be shown with a login shell. So they need to have some (PAM) login
> credentials available.
>
> This change is useful for setups where a host integrates with central
> authentication systems (e.g. LDAP, Active Directory, or OIDC), either
> as a PBS realm or as a PAM plugin. It also allows environments that
> favor non-pam users for PBS by default, but still want to keep PAM
> accounts available for admnistrators.
>
> [...]
Applied, thanks!
[1/1] fix #6398: api: allow non-pam users to access shell
commit: c77dfaf31f3e97fa0dd52ce4b85afe768b867562
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-10-08 11:14 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-10-08 10:47 [pbs-devel] [PATCH proxmox-backup v2] fix #6398: api: allow non-pam users to access shell Shan Shaji
2025-10-08 11:13 ` [pbs-devel] applied: " Thomas Lamprecht
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox