[pve-devel] [PATCH v4 manager 12/18] api: always drop to login prompt for non-root users on terminal proxy calls

Thu Jun 2 09:24:44 CEST 2022

we should still drop to a login prompt on our spice/vnc/termproxy for
SUs.

also updated a comment about missing superuser role.

Suggested-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
---
v3->v4:
* changed wrong condition check (eq 'login' vs. ne 'login')


 PVE/API2/Nodes.pm | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/PVE/API2/Nodes.pm b/PVE/API2/Nodes.pm
index 655493a3..a43768a7 100644
--- a/PVE/API2/Nodes.pm
+++ b/PVE/API2/Nodes.pm
@@ -870,7 +870,7 @@ sub get_shell_command  {
 	    $cmd = [ '/bin/login', '-f', 'root' ];
 	}
     } else {
-	# non-root must always login for now, we do not have a superuser role!
+	# non-root must always login, even with SU privilege
 	$cmd = [ '/bin/login' ];
     }
     return $cmd;
@@ -960,7 +960,7 @@ __PACKAGE__->register_method ({
 
 	raise_perm_exc("realm != pam") if $realm ne 'pam';
 
-	if (defined($param->{cmd}) && $param->{cmd} eq 'upgrade' && $user ne 'root at pam') {
+	if (defined($param->{cmd}) && $param->{cmd} ne 'login' && $user ne 'root at pam') {
 	    raise_perm_exc('user != root at pam');
 	}
 
@@ -1077,8 +1077,13 @@ __PACKAGE__->register_method ({
 
 	my $rpcenv = PVE::RPCEnvironment::get();
 	my ($user, undef, $realm) = PVE::AccessControl::verify_username($rpcenv->get_user());
+
 	raise_perm_exc("realm $realm != pam") if $realm ne 'pam';
 
+	if (defined($param->{cmd}) && $param->{cmd} ne 'login' && $user ne 'root at pam') {
+	    raise_perm_exc('user != root at pam');
+	}
+
 	my $node = $param->{node};
 	my $authpath = "/nodes/$node";
 	my $ticket = PVE::AccessControl::assemble_vnc_ticket($user, $authpath);
@@ -1208,7 +1213,7 @@ __PACKAGE__->register_method ({
 
 	raise_perm_exc("realm != pam") if $realm ne 'pam';
 
-	if (defined($param->{cmd}) && $param->{cmd} eq 'upgrade' && $user ne 'root at pam') {
+	if (defined($param->{cmd}) && $param->{cmd} ne 'login' && $user ne 'root at pam') {
 	    raise_perm_exc('user != root at pam');
 	}
 
-- 
2.30.2




