From: Dominik Csapak <d.csapak@proxmox.com>
To: Proxmox Datacenter Manager development discussion
<pdm-devel@lists.proxmox.com>, Shan Shaji <s.shaji@proxmox.com>
Subject: Re: [pdm-devel] [PATCH datacenter-manager] fix: api: allow non-pam users to access shell
Date: Tue, 23 Jun 2026 13:03:30 +0200 [thread overview]
Message-ID: <74a0092b-5c16-41d0-99fc-c206c454bbe0@proxmox.com> (raw)
In-Reply-To: <20251008140943.300897-1-s.shaji@proxmox.com>
see my one comment inline
Aside from that
Reviewed-by: Dominik Csapak <d.csapak@proxmox.com>
On 10/8/25 4:09 PM, Shan Shaji wrote:
> Remove the explicit restriction that only pam users can access the
> shell. This is safe to do, as all users that are not root@pam will
> be shown with a login shell. So they need to have some (PAM) login
> credentials available.
>
> This changes is useful for setups where a host integrates with central
> authentication systems (e.g. LDAP or Active Directory) either as a PDM
> realm or as a PAM plugin. It also allows environments that favor
> non-pam users for PDM by default, but still want to keep PAM
> accounts available for admnistrators.
>
> Reference: pve-manager commit (7914f5e7b) and proxmox-backup commit
> (c77dfaf31), these commits are already applied for PVE and PBS.
>
> Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
> ---
> server/src/api/nodes/termproxy.rs | 6 +-----
> 1 file changed, 1 insertion(+), 5 deletions(-)
>
> diff --git a/server/src/api/nodes/termproxy.rs b/server/src/api/nodes/termproxy.rs
> index 8d7c1ff..3f689ef 100644
> --- a/server/src/api/nodes/termproxy.rs
> +++ b/server/src/api/nodes/termproxy.rs
> @@ -63,7 +63,7 @@ pub const SHELL_CMD_SCHEMA: Schema = StringSchema::new("The command to run.")
> }
> },
> access: {
> - description: "Restricted to users on realm 'pam'",
> + description: "The user needs `Sys.Console` privilege on `/system`",
while this is technically true for the api call, I'd still explicitely
explain here that the user needs to have pam credentials, else some
will be confused why they can't access the shell as their non-pam users.
> permission: &Permission::Privilege(&["system"], PRIV_SYS_CONSOLE, false),
> }
> )]
> @@ -81,10 +81,6 @@ async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Resu
>
> let userid = auth_id.user();
>
> - if userid.realm() != "pam" {
> - bail!("only pam users can use the console");
> - }
> -
> let path = "/system";
>
> // use port 0 and let the kernel decide which port is free
prev parent reply other threads:[~2026-06-23 11:03 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-08 14:09 [pdm-devel] [PATCH datacenter-manager] fix: api: allow non-pam users to access shell Shan Shaji
2026-06-23 8:16 ` Shan Shaji
2026-06-23 12:05 ` Shan Shaji
2026-06-23 11:03 ` Dominik Csapak [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=74a0092b-5c16-41d0-99fc-c206c454bbe0@proxmox.com \
--to=d.csapak@proxmox.com \
--cc=pdm-devel@lists.proxmox.com \
--cc=s.shaji@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox