we have a SU privilege now, but we still drop to a login prompt on our spice/vnc/termproxy for such users.
Signed-off-by: Oguz Bektas <[email protected]> --- v2->v3: * limit non-root users to 'login' shellcmd on vncproxy, termproxy and spiceproxy PVE/API2/Nodes.pm | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/PVE/API2/Nodes.pm b/PVE/API2/Nodes.pm index 655493a3..52dae854 100644 --- a/PVE/API2/Nodes.pm +++ b/PVE/API2/Nodes.pm @@ -870,7 +870,7 @@ sub get_shell_command { $cmd = [ '/bin/login', '-f', 'root' ]; } } else { - # non-root must always login for now, we do not have a superuser role! + # non-root must always login, even with SU privilege $cmd = [ '/bin/login' ]; } return $cmd; @@ -960,7 +960,7 @@ __PACKAGE__->register_method ({ raise_perm_exc("realm != pam") if $realm ne 'pam'; - if (defined($param->{cmd}) && $param->{cmd} eq 'upgrade' && $user ne 'root@pam') { + if (defined($param->{cmd}) && $param->{cmd} eq 'login' && $user ne 'root@pam') { raise_perm_exc('user != root@pam'); } @@ -1077,8 +1077,13 @@ __PACKAGE__->register_method ({ my $rpcenv = PVE::RPCEnvironment::get(); my ($user, undef, $realm) = PVE::AccessControl::verify_username($rpcenv->get_user()); + raise_perm_exc("realm $realm != pam") if $realm ne 'pam'; + if (defined($param->{cmd}) && $param->{cmd} eq 'login' && $user ne 'root@pam') { + raise_perm_exc('user != root@pam'); + } + my $node = $param->{node}; my $authpath = "/nodes/$node"; my $ticket = PVE::AccessControl::assemble_vnc_ticket($user, $authpath); @@ -1208,7 +1213,7 @@ __PACKAGE__->register_method ({ raise_perm_exc("realm != pam") if $realm ne 'pam'; - if (defined($param->{cmd}) && $param->{cmd} eq 'upgrade' && $user ne 'root@pam') { + if (defined($param->{cmd}) && $param->{cmd} eq 'login' && $user ne 'root@pam') { raise_perm_exc('user != root@pam'); } -- 2.30.2 _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
