[pdm-devel] [PATCH proxmox-backup 1/4] tree-wide: user Userid::root_user() instead of hard-coded root at pam
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Nov 11 09:29:17 CET 2025
we were not super consistent here, and this might be a nice first step towards
later on replacing these call sites with calls to is_superuser(), if we go down
that route..
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
pbs-config/src/acl.rs | 2 +-
pbs-config/src/cached_user_info.rs | 4 ++--
pbs-config/src/user.rs | 5 +++--
src/api2/node/mod.rs | 10 ++++++----
4 files changed, 12 insertions(+), 9 deletions(-)
diff --git a/pbs-config/src/acl.rs b/pbs-config/src/acl.rs
index fb3863b8f..2abbf5802 100644
--- a/pbs-config/src/acl.rs
+++ b/pbs-config/src/acl.rs
@@ -449,7 +449,7 @@ impl AclTree {
for (auth_id, roles) in &node.users {
// no need to save, because root is always 'Administrator'
- if !auth_id.is_token() && auth_id.user() == "root at pam" {
+ if !auth_id.is_token() && auth_id.user() == Userid::root_userid() {
continue;
}
for (role, propagate) in roles {
diff --git a/pbs-config/src/cached_user_info.rs b/pbs-config/src/cached_user_info.rs
index e1cd2d68a..0bba542b2 100644
--- a/pbs-config/src/cached_user_info.rs
+++ b/pbs-config/src/cached_user_info.rs
@@ -137,7 +137,7 @@ impl CachedUserInfo {
}
pub fn is_superuser(&self, auth_id: &Authid) -> bool {
- !auth_id.is_token() && auth_id.user() == "root at pam"
+ !auth_id.is_token() && auth_id.user() == Userid::root_userid()
}
pub fn is_group_member(&self, _userid: &Userid, _group: &str) -> bool {
@@ -208,7 +208,7 @@ impl CachedUserInfo {
impl UserInformation for CachedUserInfo {
fn is_superuser(&self, userid: &str) -> bool {
- userid == "root at pam"
+ userid == Userid::root_userid().as_str()
}
fn is_group_member(&self, _userid: &str, _group: &str) -> bool {
diff --git a/pbs-config/src/user.rs b/pbs-config/src/user.rs
index 08d141e66..87e3bfb2d 100644
--- a/pbs-config/src/user.rs
+++ b/pbs-config/src/user.rs
@@ -53,8 +53,9 @@ pub fn config() -> Result<(SectionConfigData, [u8; 32]), Error> {
let digest = openssl::sha::sha256(content.as_bytes());
let mut data = CONFIG.parse(USER_CFG_FILENAME, &content)?;
+ let root_user = Userid::root_userid().as_str();
- if !data.sections.contains_key("root at pam") {
+ if !data.sections.contains_key(root_user) {
let user: User = User {
userid: Userid::root_userid().clone(),
comment: Some("Superuser".to_string()),
@@ -64,7 +65,7 @@ pub fn config() -> Result<(SectionConfigData, [u8; 32]), Error> {
lastname: None,
email: None,
};
- data.set_data("root at pam", "user", &user).unwrap();
+ data.set_data(root_user, "user", &user).unwrap();
}
Ok((data, digest))
diff --git a/src/api2/node/mod.rs b/src/api2/node/mod.rs
index 83367bd09..72df9ea72 100644
--- a/src/api2/node/mod.rs
+++ b/src/api2/node/mod.rs
@@ -25,7 +25,7 @@ use proxmox_schema::*;
use proxmox_sortable_macro::sortable;
use proxmox_sys::fd::fd_change_cloexec;
-use pbs_api_types::{NODE_SCHEMA, PRIV_SYS_CONSOLE};
+use pbs_api_types::{Userid, NODE_SCHEMA, PRIV_SYS_CONSOLE};
use tracing::{info, warn};
use crate::auth::{private_auth_keyring, public_auth_keyring};
@@ -98,6 +98,8 @@ pub const SHELL_CMD_SCHEMA: Schema = StringSchema::new("The command to run.")
)]
/// Call termproxy and return shell ticket
async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Result<Value, Error> {
+ let root_user = Userid::root_userid();
+
// intentionally user only for now
let auth_id: Authid = rpcenv
.get_auth_id()
@@ -125,14 +127,14 @@ async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Resu
match cmd.as_deref() {
Some("login") | None => {
command.push("login");
- if userid == "root at pam" {
+ if userid == root_user {
command.push("-f");
command.push("root");
}
}
Some("upgrade") => {
- if userid != "root at pam" {
- bail!("only root at pam can upgrade");
+ if userid != root_user {
+ bail!("only {root_user} can upgrade");
}
// TODO: add nicer/safer wrapper like in PVE instead
command.push("sh");
--
2.47.3
More information about the pdm-devel
mailing list