[pdm-devel] [PATCH datacenter-manager] fix: api: allow non-pam users to access shell

[Shan Shaji]

Remove the explicit restriction that only pam users can access the
shell. This is safe to do, as all users that are not root at pam will
be shown with a login shell. So they need to have some (PAM) login
credentials available.

This changes is useful for setups where a host integrates with central
authentication systems (e.g. LDAP or Active Directory) either as a PDM
realm or as a PAM plugin. It also allows environments that favor
non-pam users for PDM by default, but still want to keep PAM
accounts available for admnistrators.

Reference: pve-manager commit (7914f5e7b) and proxmox-backup commit
(c77dfaf31), these commits are already applied for PVE and PBS.

Signed-off-by: Shan Shaji <s.shaji at proxmox.com>
---
 server/src/api/nodes/termproxy.rs | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/server/src/api/nodes/termproxy.rs b/server/src/api/nodes/termproxy.rs
index 8d7c1ff..3f689ef 100644
--- a/server/src/api/nodes/termproxy.rs
+++ b/server/src/api/nodes/termproxy.rs
@@ -63,7 +63,7 @@ pub const SHELL_CMD_SCHEMA: Schema = StringSchema::new("The command to run.")
         }
     },
     access: {
-        description: "Restricted to users on realm 'pam'",
+        description: "The user needs `Sys.Console` privilege on `/system`",
         permission: &Permission::Privilege(&["system"], PRIV_SYS_CONSOLE, false),
     }
 )]
@@ -81,10 +81,6 @@ async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Resu
 
     let userid = auth_id.user();
 
-    if userid.realm() != "pam" {
-        bail!("only pam users can use the console");
-    }
-
     let path = "/system";
 
     // use port 0 and let the kernel decide which port is free
-- 
2.47.3