From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 1C88374D14 for ; Thu, 2 Jun 2022 09:25:42 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 531982757F for ; Thu, 2 Jun 2022 09:25:11 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id DBB542745C for ; Thu, 2 Jun 2022 09:25:05 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id B3E9843A07 for ; Thu, 2 Jun 2022 09:25:05 +0200 (CEST) From: Oguz Bektas To: pve-devel@lists.proxmox.com Date: Thu, 2 Jun 2022 09:24:44 +0200 Message-Id: <20220602072450.55209-13-o.bektas@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220602072450.55209-1-o.bektas@proxmox.com> References: <20220602072450.55209-1-o.bektas@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.477 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [nodes.pm] Subject: [pve-devel] [PATCH v4 manager 12/18] api: always drop to login prompt for non-root users on terminal proxy calls X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Jun 2022 07:25:42 -0000 we should still drop to a login prompt on our spice/vnc/termproxy for SUs. also updated a comment about missing superuser role. Suggested-by: Fabian Grünbichler Signed-off-by: Oguz Bektas --- v3->v4: * changed wrong condition check (eq 'login' vs. ne 'login') PVE/API2/Nodes.pm | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/PVE/API2/Nodes.pm b/PVE/API2/Nodes.pm index 655493a3..a43768a7 100644 --- a/PVE/API2/Nodes.pm +++ b/PVE/API2/Nodes.pm @@ -870,7 +870,7 @@ sub get_shell_command { $cmd = [ '/bin/login', '-f', 'root' ]; } } else { - # non-root must always login for now, we do not have a superuser role! + # non-root must always login, even with SU privilege $cmd = [ '/bin/login' ]; } return $cmd; @@ -960,7 +960,7 @@ __PACKAGE__->register_method ({ raise_perm_exc("realm != pam") if $realm ne 'pam'; - if (defined($param->{cmd}) && $param->{cmd} eq 'upgrade' && $user ne 'root@pam') { + if (defined($param->{cmd}) && $param->{cmd} ne 'login' && $user ne 'root@pam') { raise_perm_exc('user != root@pam'); } @@ -1077,8 +1077,13 @@ __PACKAGE__->register_method ({ my $rpcenv = PVE::RPCEnvironment::get(); my ($user, undef, $realm) = PVE::AccessControl::verify_username($rpcenv->get_user()); + raise_perm_exc("realm $realm != pam") if $realm ne 'pam'; + if (defined($param->{cmd}) && $param->{cmd} ne 'login' && $user ne 'root@pam') { + raise_perm_exc('user != root@pam'); + } + my $node = $param->{node}; my $authpath = "/nodes/$node"; my $ticket = PVE::AccessControl::assemble_vnc_ticket($user, $authpath); @@ -1208,7 +1213,7 @@ __PACKAGE__->register_method ({ raise_perm_exc("realm != pam") if $realm ne 'pam'; - if (defined($param->{cmd}) && $param->{cmd} eq 'upgrade' && $user ne 'root@pam') { + if (defined($param->{cmd}) && $param->{cmd} ne 'login' && $user ne 'root@pam') { raise_perm_exc('user != root@pam'); } -- 2.30.2