[pve-devel] [PATCH manager 1/3] node console: restrict all non-login commands to root at pam

Fabian Grünbichler f.gruenbichler at proxmox.com
Wed Jun 14 12:42:13 CEST 2023 

and not just upgrade.

note that the only other non-login command (ceph_install) is restricted to
root at pam in the web UI anyway, and that the termproxy endpoint is lacking this
check and thus always falls back to a login prompt for non-login commands
requested by non-root users.

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
 PVE/API2/Nodes.pm | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/PVE/API2/Nodes.pm b/PVE/API2/Nodes.pm
index 9269694d6..81c7f3788 100644
--- a/PVE/API2/Nodes.pm
+++ b/PVE/API2/Nodes.pm
@@ -949,7 +949,7 @@ __PACKAGE__->register_method ({
 	    node => get_standard_option('pve-node'),
 	    cmd => {
 		type => 'string',
-		description => "Run specific command or default to login.",
+		description => "Run specific command or default to login (requires 'root\@pam')",
 		enum => [keys %$shell_cmd_map],
 		optional => 1,
 		default => 'login',
@@ -1000,7 +1000,7 @@ __PACKAGE__->register_method ({
 
 	raise_perm_exc("realm != pam") if $realm ne 'pam';
 
-	if (defined($param->{cmd}) && $param->{cmd} eq 'upgrade' && $user ne 'root at pam') {
+	if (defined($param->{cmd}) && $param->{cmd} ne 'login' && $user ne 'root at pam') {
 	    raise_perm_exc('user != root at pam');
 	}
 
@@ -1089,7 +1089,7 @@ __PACKAGE__->register_method ({
 	    node => get_standard_option('pve-node'),
 	    cmd => {
 		type => 'string',
-		description => "Run specific command or default to login.",
+		description => "Run specific command or default to login (requires 'root\@pam')",
 		enum => [keys %$shell_cmd_map],
 		optional => 1,
 		default => 'login',
@@ -1223,7 +1223,7 @@ __PACKAGE__->register_method ({
 	    proxy => get_standard_option('spice-proxy', { optional => 1 }),
 	    cmd => {
 		type => 'string',
-		description => "Run specific command or default to login.",
+		description => "Run specific command or default to login (requires 'root\@pam')",
 		enum => [keys %$shell_cmd_map],
 		optional => 1,
 		default => 'login',
@@ -1248,7 +1248,7 @@ __PACKAGE__->register_method ({
 
 	raise_perm_exc("realm != pam") if $realm ne 'pam';
 
-	if (defined($param->{cmd}) && $param->{cmd} eq 'upgrade' && $user ne 'root at pam') {
+	if (defined($param->{cmd}) && $param->{cmd} ne 'login' && $user ne 'root at pam') {
 	    raise_perm_exc('user != root at pam');
 	}
 
-- 
2.39.2

More information about the pve-devel mailing list