[pbs-devel] [PATCH proxmox-backup] fix #6398: api: allow non-pam users to access shell
Shan Shaji
s.shaji at proxmox.com
Tue Oct 7 17:13:50 CEST 2025
Thanks @Thomas for the review, makes sense. I will create a v2 with
an updated commit message.
On Tue Oct 7, 2025 at 4:30 PM CEST, Thomas Lamprecht wrote:
> Am 15.09.25 um 14:58 schrieb Shan Shaji:
>> Right now PBS is not allowing users to access the shell if the user
>> is not a pam user even though the `Sys.Console` permission is
>> already given. To fix the issue removed the palm realm check.
>
> This is a explicit and dedicated check, it might not be warranted,
> but it might as well exist for a reason, so removing such explicit
> limitations really need to argue about that in the commit message.
>
> Here it would be probably enough to write that this is safe to do as
> all users that are not root at pam will get a login shell anyway, so
> they need to have some (PAM) login credentials available. This makes
> sense to have as e.g. a host could be use a central authentication
> system like LDAP/AD or OIDC as PBS realm and as PAM plugin. Or just
> favor using a non-pam user by default for PBS but still provide
> credentials to a administrative PAM user to their admins.
>
> Another argument to make is referencing pve-manager's commit
> 7914f5e7b ("node console: allow usage for non-pam realms"), which
> already implemented exactly this change for PVE (albeit also not
> with spelling out actual arguments for doing so)
More information about the pbs-devel
mailing list