* [pdm-devel] [PATCH datacenter-manager] fix: api: allow non-pam users to access shell
@ 2025-10-08 14:09 Shan Shaji
2026-06-23 8:16 ` Shan Shaji
2026-06-23 11:03 ` [pdm-devel] " Dominik Csapak
0 siblings, 2 replies; 4+ messages in thread
From: Shan Shaji @ 2025-10-08 14:09 UTC (permalink / raw)
To: pdm-devel
Remove the explicit restriction that only pam users can access the
shell. This is safe to do, as all users that are not root@pam will
be shown with a login shell. So they need to have some (PAM) login
credentials available.
This changes is useful for setups where a host integrates with central
authentication systems (e.g. LDAP or Active Directory) either as a PDM
realm or as a PAM plugin. It also allows environments that favor
non-pam users for PDM by default, but still want to keep PAM
accounts available for admnistrators.
Reference: pve-manager commit (7914f5e7b) and proxmox-backup commit
(c77dfaf31), these commits are already applied for PVE and PBS.
Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
---
server/src/api/nodes/termproxy.rs | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/server/src/api/nodes/termproxy.rs b/server/src/api/nodes/termproxy.rs
index 8d7c1ff..3f689ef 100644
--- a/server/src/api/nodes/termproxy.rs
+++ b/server/src/api/nodes/termproxy.rs
@@ -63,7 +63,7 @@ pub const SHELL_CMD_SCHEMA: Schema = StringSchema::new("The command to run.")
}
},
access: {
- description: "Restricted to users on realm 'pam'",
+ description: "The user needs `Sys.Console` privilege on `/system`",
permission: &Permission::Privilege(&["system"], PRIV_SYS_CONSOLE, false),
}
)]
@@ -81,10 +81,6 @@ async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Resu
let userid = auth_id.user();
- if userid.realm() != "pam" {
- bail!("only pam users can use the console");
- }
-
let path = "/system";
// use port 0 and let the kernel decide which port is free
--
2.47.3
_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH datacenter-manager] fix: api: allow non-pam users to access shell
2025-10-08 14:09 [pdm-devel] [PATCH datacenter-manager] fix: api: allow non-pam users to access shell Shan Shaji
@ 2026-06-23 8:16 ` Shan Shaji
2026-06-23 12:05 ` Shan Shaji
2026-06-23 11:03 ` [pdm-devel] " Dominik Csapak
1 sibling, 1 reply; 4+ messages in thread
From: Shan Shaji @ 2026-06-23 8:16 UTC (permalink / raw)
To: Shan Shaji, pdm-devel
Gentle ping, this still applies on master. We have a report related to
this in bugzilla [1]
- [1] https://bugzilla.proxmox.com/show_bug.cgi?id=7726
On Wed Oct 8, 2025 at 4:09 PM CEST, Shan Shaji wrote:
> Remove the explicit restriction that only pam users can access the
> shell. This is safe to do, as all users that are not root@pam will
> be shown with a login shell. So they need to have some (PAM) login
> credentials available.
>
> This changes is useful for setups where a host integrates with central
> authentication systems (e.g. LDAP or Active Directory) either as a PDM
> realm or as a PAM plugin. It also allows environments that favor
> non-pam users for PDM by default, but still want to keep PAM
> accounts available for admnistrators.
>
> Reference: pve-manager commit (7914f5e7b) and proxmox-backup commit
> (c77dfaf31), these commits are already applied for PVE and PBS.
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [pdm-devel] [PATCH datacenter-manager] fix: api: allow non-pam users to access shell
2025-10-08 14:09 [pdm-devel] [PATCH datacenter-manager] fix: api: allow non-pam users to access shell Shan Shaji
2026-06-23 8:16 ` Shan Shaji
@ 2026-06-23 11:03 ` Dominik Csapak
1 sibling, 0 replies; 4+ messages in thread
From: Dominik Csapak @ 2026-06-23 11:03 UTC (permalink / raw)
To: Proxmox Datacenter Manager development discussion, Shan Shaji
see my one comment inline
Aside from that
Reviewed-by: Dominik Csapak <d.csapak@proxmox.com>
On 10/8/25 4:09 PM, Shan Shaji wrote:
> Remove the explicit restriction that only pam users can access the
> shell. This is safe to do, as all users that are not root@pam will
> be shown with a login shell. So they need to have some (PAM) login
> credentials available.
>
> This changes is useful for setups where a host integrates with central
> authentication systems (e.g. LDAP or Active Directory) either as a PDM
> realm or as a PAM plugin. It also allows environments that favor
> non-pam users for PDM by default, but still want to keep PAM
> accounts available for admnistrators.
>
> Reference: pve-manager commit (7914f5e7b) and proxmox-backup commit
> (c77dfaf31), these commits are already applied for PVE and PBS.
>
> Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
> ---
> server/src/api/nodes/termproxy.rs | 6 +-----
> 1 file changed, 1 insertion(+), 5 deletions(-)
>
> diff --git a/server/src/api/nodes/termproxy.rs b/server/src/api/nodes/termproxy.rs
> index 8d7c1ff..3f689ef 100644
> --- a/server/src/api/nodes/termproxy.rs
> +++ b/server/src/api/nodes/termproxy.rs
> @@ -63,7 +63,7 @@ pub const SHELL_CMD_SCHEMA: Schema = StringSchema::new("The command to run.")
> }
> },
> access: {
> - description: "Restricted to users on realm 'pam'",
> + description: "The user needs `Sys.Console` privilege on `/system`",
while this is technically true for the api call, I'd still explicitely
explain here that the user needs to have pam credentials, else some
will be confused why they can't access the shell as their non-pam users.
> permission: &Permission::Privilege(&["system"], PRIV_SYS_CONSOLE, false),
> }
> )]
> @@ -81,10 +81,6 @@ async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Resu
>
> let userid = auth_id.user();
>
> - if userid.realm() != "pam" {
> - bail!("only pam users can use the console");
> - }
> -
> let path = "/system";
>
> // use port 0 and let the kernel decide which port is free
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH datacenter-manager] fix: api: allow non-pam users to access shell
2026-06-23 8:16 ` Shan Shaji
@ 2026-06-23 12:05 ` Shan Shaji
0 siblings, 0 replies; 4+ messages in thread
From: Shan Shaji @ 2026-06-23 12:05 UTC (permalink / raw)
To: Shan Shaji, pdm-devel
Superseded by v2: https://lore.proxmox.com/pdm-devel/20260623120314.305942-1-s.shaji@proxmox.com/T/#u
On Tue Jun 23, 2026 at 10:16 AM CEST, Shan Shaji wrote:
> Gentle ping, this still applies on master. We have a report related to
> this in bugzilla [1]
>
> - [1] https://bugzilla.proxmox.com/show_bug.cgi?id=7726
>
> On Wed Oct 8, 2025 at 4:09 PM CEST, Shan Shaji wrote:
>> Remove the explicit restriction that only pam users can access the
>> shell. This is safe to do, as all users that are not root@pam will
>> be shown with a login shell. So they need to have some (PAM) login
>> credentials available.
>>
>> This changes is useful for setups where a host integrates with central
>> authentication systems (e.g. LDAP or Active Directory) either as a PDM
>> realm or as a PAM plugin. It also allows environments that favor
>> non-pam users for PDM by default, but still want to keep PAM
>> accounts available for admnistrators.
>>
>> Reference: pve-manager commit (7914f5e7b) and proxmox-backup commit
>> (c77dfaf31), these commits are already applied for PVE and PBS.
>>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-06-23 12:05 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-08 14:09 [pdm-devel] [PATCH datacenter-manager] fix: api: allow non-pam users to access shell Shan Shaji
2026-06-23 8:16 ` Shan Shaji
2026-06-23 12:05 ` Shan Shaji
2026-06-23 11:03 ` [pdm-devel] " Dominik Csapak
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox