[pbs-devel] [PATCH proxmox-backup] fix #6398: api: allow non-pam users to access shell

[pbs-devel] [PATCH proxmox-backup] fix #6398: api: allow non-pam users to access shell

[Shan Shaji]

Right now PBS is not allowing users to access the shell if the user
is not a pam user even though the `Sys.Console` permission is
already given. To fix the issue removed the palm realm check.

Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
---
 src/api2/node/mod.rs | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/src/api2/node/mod.rs b/src/api2/node/mod.rs
index e7c6213c..34d4fb77 100644
--- a/src/api2/node/mod.rs
+++ b/src/api2/node/mod.rs
@@ -92,7 +92,7 @@ pub const SHELL_CMD_SCHEMA: Schema = StringSchema::new("The command to run.")
         }
     },
     access: {
-        description: "Restricted to users on realm 'pam'",
+        description: "The user needs Sys.Console on /system.",
         permission: &Permission::Privilege(&["system"], PRIV_SYS_CONSOLE, false),
     }
 )]
@@ -110,10 +110,6 @@ async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Resu
 
     let userid = auth_id.user();
 
-    if userid.realm() != "pam" {
-        bail!("only pam users can use the console");
-    }
-
     let path = "/system";
 
     // use port 0 and let the kernel decide which port is free
-- 
2.47.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

Re: [pbs-devel] [PATCH proxmox-backup] fix #6398: api: allow non-pam users to access shell

[Shan Shaji]

Ping


_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

Re: [pbs-devel] [PATCH proxmox-backup] fix #6398: api: allow non-pam users to access shell

[Thomas Lamprecht]

Am 15.09.25 um 14:58 schrieb Shan Shaji:
> Right now PBS is not allowing users to access the shell if the user
> is not a pam user even though the `Sys.Console` permission is
> already given. To fix the issue removed the palm realm check.

This is a explicit and dedicated check, it might not be warranted,
but it might as well exist for a reason, so removing such explicit
limitations really need to argue about that in the commit message.

Here it would be probably enough to write that this is safe to do as
all users that are not root@pam will get a login shell anyway, so
they need to have some (PAM) login credentials available. This makes
sense to have as e.g. a host could be use a central authentication
system like LDAP/AD or OIDC as PBS realm and as PAM plugin. Or just
favor using a non-pam user by default for PBS but still provide
credentials to a administrative PAM user to their admins.

Another argument to make is referencing pve-manager's commit
7914f5e7b ("node console: allow usage for non-pam realms"), which
already implemented exactly this change for PVE (albeit also not
with spelling out actual arguments for doing so)


_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

Re: [pbs-devel] [PATCH proxmox-backup] fix #6398: api: allow non-pam users to access shell

[Shan Shaji]

Thanks @Thomas for the review, makes sense. I will create a v2 with 
an updated commit message. 

On Tue Oct 7, 2025 at 4:30 PM CEST, Thomas Lamprecht wrote:
> Am 15.09.25 um 14:58 schrieb Shan Shaji:
>> Right now PBS is not allowing users to access the shell if the user
>> is not a pam user even though the `Sys.Console` permission is
>> already given. To fix the issue removed the palm realm check.
>
> This is a explicit and dedicated check, it might not be warranted,
> but it might as well exist for a reason, so removing such explicit
> limitations really need to argue about that in the commit message.
>
> Here it would be probably enough to write that this is safe to do as
> all users that are not root@pam will get a login shell anyway, so
> they need to have some (PAM) login credentials available. This makes
> sense to have as e.g. a host could be use a central authentication
> system like LDAP/AD or OIDC as PBS realm and as PAM plugin. Or just
> favor using a non-pam user by default for PBS but still provide
> credentials to a administrative PAM user to their admins.
>
> Another argument to make is referencing pve-manager's commit
> 7914f5e7b ("node console: allow usage for non-pam realms"), which
> already implemented exactly this change for PVE (albeit also not
> with spelling out actual arguments for doing so)



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel