and not just upgrade. note that the only other non-login command (ceph_install) is restricted to root@pam in the web UI anyway, and that the termproxy endpoint is lacking this check and thus always falls back to a login prompt for non-login commands requested by non-root users.
Signed-off-by: Fabian Grünbichler <[email protected]> --- PVE/API2/Nodes.pm | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/PVE/API2/Nodes.pm b/PVE/API2/Nodes.pm index 9269694d6..81c7f3788 100644 --- a/PVE/API2/Nodes.pm +++ b/PVE/API2/Nodes.pm @@ -949,7 +949,7 @@ __PACKAGE__->register_method ({ node => get_standard_option('pve-node'), cmd => { type => 'string', - description => "Run specific command or default to login.", + description => "Run specific command or default to login (requires 'root\@pam')", enum => [keys %$shell_cmd_map], optional => 1, default => 'login', @@ -1000,7 +1000,7 @@ __PACKAGE__->register_method ({ raise_perm_exc("realm != pam") if $realm ne 'pam'; - if (defined($param->{cmd}) && $param->{cmd} eq 'upgrade' && $user ne 'root@pam') { + if (defined($param->{cmd}) && $param->{cmd} ne 'login' && $user ne 'root@pam') { raise_perm_exc('user != root@pam'); } @@ -1089,7 +1089,7 @@ __PACKAGE__->register_method ({ node => get_standard_option('pve-node'), cmd => { type => 'string', - description => "Run specific command or default to login.", + description => "Run specific command or default to login (requires 'root\@pam')", enum => [keys %$shell_cmd_map], optional => 1, default => 'login', @@ -1223,7 +1223,7 @@ __PACKAGE__->register_method ({ proxy => get_standard_option('spice-proxy', { optional => 1 }), cmd => { type => 'string', - description => "Run specific command or default to login.", + description => "Run specific command or default to login (requires 'root\@pam')", enum => [keys %$shell_cmd_map], optional => 1, default => 'login', @@ -1248,7 +1248,7 @@ __PACKAGE__->register_method ({ raise_perm_exc("realm != pam") if $realm ne 'pam'; - if (defined($param->{cmd}) && $param->{cmd} eq 'upgrade' && $user ne 'root@pam') { + if (defined($param->{cmd}) && $param->{cmd} ne 'login' && $user ne 'root@pam') { raise_perm_exc('user != root@pam'); } -- 2.39.2 _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
