From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [pdm-devel] [PATCH proxmox-backup 1/4] tree-wide: user Userid::root_user() instead of hard-coded root@pam
Date: Tue, 11 Nov 2025 09:29:17 +0100 [thread overview]
Message-ID: <20251111082938.221008-11-f.gruenbichler@proxmox.com> (raw)
In-Reply-To: <20251111082938.221008-1-f.gruenbichler@proxmox.com>
we were not super consistent here, and this might be a nice first step towards
later on replacing these call sites with calls to is_superuser(), if we go down
that route..
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
pbs-config/src/acl.rs | 2 +-
pbs-config/src/cached_user_info.rs | 4 ++--
pbs-config/src/user.rs | 5 +++--
src/api2/node/mod.rs | 10 ++++++----
4 files changed, 12 insertions(+), 9 deletions(-)
diff --git a/pbs-config/src/acl.rs b/pbs-config/src/acl.rs
index fb3863b8f..2abbf5802 100644
--- a/pbs-config/src/acl.rs
+++ b/pbs-config/src/acl.rs
@@ -449,7 +449,7 @@ impl AclTree {
for (auth_id, roles) in &node.users {
// no need to save, because root is always 'Administrator'
- if !auth_id.is_token() && auth_id.user() == "root@pam" {
+ if !auth_id.is_token() && auth_id.user() == Userid::root_userid() {
continue;
}
for (role, propagate) in roles {
diff --git a/pbs-config/src/cached_user_info.rs b/pbs-config/src/cached_user_info.rs
index e1cd2d68a..0bba542b2 100644
--- a/pbs-config/src/cached_user_info.rs
+++ b/pbs-config/src/cached_user_info.rs
@@ -137,7 +137,7 @@ impl CachedUserInfo {
}
pub fn is_superuser(&self, auth_id: &Authid) -> bool {
- !auth_id.is_token() && auth_id.user() == "root@pam"
+ !auth_id.is_token() && auth_id.user() == Userid::root_userid()
}
pub fn is_group_member(&self, _userid: &Userid, _group: &str) -> bool {
@@ -208,7 +208,7 @@ impl CachedUserInfo {
impl UserInformation for CachedUserInfo {
fn is_superuser(&self, userid: &str) -> bool {
- userid == "root@pam"
+ userid == Userid::root_userid().as_str()
}
fn is_group_member(&self, _userid: &str, _group: &str) -> bool {
diff --git a/pbs-config/src/user.rs b/pbs-config/src/user.rs
index 08d141e66..87e3bfb2d 100644
--- a/pbs-config/src/user.rs
+++ b/pbs-config/src/user.rs
@@ -53,8 +53,9 @@ pub fn config() -> Result<(SectionConfigData, [u8; 32]), Error> {
let digest = openssl::sha::sha256(content.as_bytes());
let mut data = CONFIG.parse(USER_CFG_FILENAME, &content)?;
+ let root_user = Userid::root_userid().as_str();
- if !data.sections.contains_key("root@pam") {
+ if !data.sections.contains_key(root_user) {
let user: User = User {
userid: Userid::root_userid().clone(),
comment: Some("Superuser".to_string()),
@@ -64,7 +65,7 @@ pub fn config() -> Result<(SectionConfigData, [u8; 32]), Error> {
lastname: None,
email: None,
};
- data.set_data("root@pam", "user", &user).unwrap();
+ data.set_data(root_user, "user", &user).unwrap();
}
Ok((data, digest))
diff --git a/src/api2/node/mod.rs b/src/api2/node/mod.rs
index 83367bd09..72df9ea72 100644
--- a/src/api2/node/mod.rs
+++ b/src/api2/node/mod.rs
@@ -25,7 +25,7 @@ use proxmox_schema::*;
use proxmox_sortable_macro::sortable;
use proxmox_sys::fd::fd_change_cloexec;
-use pbs_api_types::{NODE_SCHEMA, PRIV_SYS_CONSOLE};
+use pbs_api_types::{Userid, NODE_SCHEMA, PRIV_SYS_CONSOLE};
use tracing::{info, warn};
use crate::auth::{private_auth_keyring, public_auth_keyring};
@@ -98,6 +98,8 @@ pub const SHELL_CMD_SCHEMA: Schema = StringSchema::new("The command to run.")
)]
/// Call termproxy and return shell ticket
async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Result<Value, Error> {
+ let root_user = Userid::root_userid();
+
// intentionally user only for now
let auth_id: Authid = rpcenv
.get_auth_id()
@@ -125,14 +127,14 @@ async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Resu
match cmd.as_deref() {
Some("login") | None => {
command.push("login");
- if userid == "root@pam" {
+ if userid == root_user {
command.push("-f");
command.push("root");
}
}
Some("upgrade") => {
- if userid != "root@pam" {
- bail!("only root@pam can upgrade");
+ if userid != root_user {
+ bail!("only {root_user} can upgrade");
}
// TODO: add nicer/safer wrapper like in PVE instead
command.push("sh");
--
2.47.3
_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel
next prev parent reply other threads:[~2025-11-11 8:29 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-11 8:29 [pdm-devel] [PATCH access-control/manager/proxmox{, -backup, -yew-comp, -datacenter-manager}/xtermjs 00/25] add remote node shell Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH pve-xtermjs 1/2] xtermjs: add support for remote node shells via PDM Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH pve-xtermjs 2/2] termproxy: allow using new vncticket endpoint Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH access-control 1/1] api: ticket: allow token-owned VNC ticket verification Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH manager 1/3] api: termproxy/vncwebsocket: allow tokens Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH manager 2/3] api: termproxy: add description to return schema Fabian Grünbichler
2025-11-13 10:38 ` Stefan Hanreich
2025-11-11 8:29 ` [pdm-devel] [PATCH manager 3/3] http server: allow unauthenticated access to /access/vncticket Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox 1/3] pbs-api-types: add NodeShellTicket Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox 2/3] auth-api: use Authid for path ticket validation Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox 3/3] auth-api: add vncticket verification endpoint and type Fabian Grünbichler
2025-11-11 8:29 ` Fabian Grünbichler [this message]
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-backup 2/4] api: access: add vncticket verification endpoint Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-backup 3/4] api: node shell: allow access for tokens Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-backup 4/4] api: termproxy: use NodeShellTicket type from pbs-api-types Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-yew-comp 1/3] xtermjs: add remote PVE support Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-yew-comp 2/3] xtermjs: merge ConsoleType to parameters conversion Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-yew-comp 3/3] xtermjs: add remote PBS console type Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-datacenter-manager 1/9] auth: allow tokens in term tickets Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-datacenter-manager 2/9] connection: add access to "raw" client Fabian Grünbichler
2025-11-13 10:39 ` Stefan Hanreich
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-datacenter-manager 3/9] pbs client: add termproxy wrapper Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-datacenter-manager 4/9] api: add remote_shell module with termproxy endpoint Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-datacenter-manager 5/9] api: remote shell: add websocket endpoint Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-datacenter-manager 6/9] api: pve: wire up remote shell support Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-datacenter-manager 7/9] ui: pve: node: add shell tab Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-datacenter-manager 8/9] api: pbs: wire up node shell endpoints Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-datacenter-manager 9/9] ui: add PBS remote shell button Fabian Grünbichler
2025-11-13 10:40 ` [pdm-devel] [PATCH access-control/manager/proxmox{, -backup, -yew-comp, -datacenter-manager}/xtermjs 00/25] add remote node shell Stefan Hanreich
2025-11-14 11:04 ` [pdm-devel] partially-applied: " Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251111082938.221008-11-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pdm-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox