[pve-devel] [PATCH v3 manager 11/17] api: always show login prompt for non-root users on terminal proxy calls
Oguz Bektas
o.bektas at proxmox.com
Wed Apr 6 13:57:28 CEST 2022
we have a SU privilege now, but we still drop to a login prompt on our
spice/vnc/termproxy for such users.
Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
---
v2->v3:
* limit non-root users to 'login' shellcmd on vncproxy, termproxy and spiceproxy
PVE/API2/Nodes.pm | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/PVE/API2/Nodes.pm b/PVE/API2/Nodes.pm
index 655493a3..52dae854 100644
--- a/PVE/API2/Nodes.pm
+++ b/PVE/API2/Nodes.pm
@@ -870,7 +870,7 @@ sub get_shell_command {
$cmd = [ '/bin/login', '-f', 'root' ];
}
} else {
- # non-root must always login for now, we do not have a superuser role!
+ # non-root must always login, even with SU privilege
$cmd = [ '/bin/login' ];
}
return $cmd;
@@ -960,7 +960,7 @@ __PACKAGE__->register_method ({
raise_perm_exc("realm != pam") if $realm ne 'pam';
- if (defined($param->{cmd}) && $param->{cmd} eq 'upgrade' && $user ne 'root at pam') {
+ if (defined($param->{cmd}) && $param->{cmd} eq 'login' && $user ne 'root at pam') {
raise_perm_exc('user != root at pam');
}
@@ -1077,8 +1077,13 @@ __PACKAGE__->register_method ({
my $rpcenv = PVE::RPCEnvironment::get();
my ($user, undef, $realm) = PVE::AccessControl::verify_username($rpcenv->get_user());
+
raise_perm_exc("realm $realm != pam") if $realm ne 'pam';
+ if (defined($param->{cmd}) && $param->{cmd} eq 'login' && $user ne 'root at pam') {
+ raise_perm_exc('user != root at pam');
+ }
+
my $node = $param->{node};
my $authpath = "/nodes/$node";
my $ticket = PVE::AccessControl::assemble_vnc_ticket($user, $authpath);
@@ -1208,7 +1213,7 @@ __PACKAGE__->register_method ({
raise_perm_exc("realm != pam") if $realm ne 'pam';
- if (defined($param->{cmd}) && $param->{cmd} eq 'upgrade' && $user ne 'root at pam') {
+ if (defined($param->{cmd}) && $param->{cmd} eq 'login' && $user ne 'root at pam') {
raise_perm_exc('user != root at pam');
}
--
2.30.2
More information about the pve-devel
mailing list