[pbs-devel] [PATCH proxmox-backup v2] fix #6398: api: allow non-pam users to access shell

[Shan Shaji]

Remove the explicit restriction that only pam users can access the
shell. This is safe to do, as all users that are not root at pam will
be shown with a login shell. So they need to have some (PAM) login
credentials available.

This change is useful for setups where a host integrates with central
authentication systems (e.g. LDAP, Active Directory, or OIDC), either
as a PBS realm or as a PAM plugin. It also allows environments that
favor non-pam users for PBS by default, but still want to keep PAM
accounts available for admnistrators.

Reference: pve-manager commit 7914f5e7b ("node console: allow usage
for non-pam realms), which already applied the same change for PVE.

Signed-off-by: Shan Shaji <s.shaji at proxmox.com>
---
 changes since v1: Thanks @Thomas
 - Updated commit message with more details. 

 src/api2/node/mod.rs | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/src/api2/node/mod.rs b/src/api2/node/mod.rs
index e7c6213c..34d4fb77 100644
--- a/src/api2/node/mod.rs
+++ b/src/api2/node/mod.rs
@@ -92,7 +92,7 @@ pub const SHELL_CMD_SCHEMA: Schema = StringSchema::new("The command to run.")
         }
     },
     access: {
-        description: "Restricted to users on realm 'pam'",
+        description: "The user needs Sys.Console on /system.",
         permission: &Permission::Privilege(&["system"], PRIV_SYS_CONSOLE, false),
     }
 )]
@@ -110,10 +110,6 @@ async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Resu
 
     let userid = auth_id.user();
 
-    if userid.realm() != "pam" {
-        bail!("only pam users can use the console");
-    }
-
     let path = "/system";
 
     // use port 0 and let the kernel decide which port is free
-- 
2.47.3