proxmox-mirrors/pve-manager
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-manager synced 2025-07-25 20:05:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

node console: restrict all non-login commands to root@pam

Browse Source 
and not just upgrade.

note that the only other non-login command (ceph_install) is restricted to
root@pam in the web UI anyway, and that the termproxy endpoint is lacking this
check and thus always falls back to a login prompt for non-login commands
requested by non-root users.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2023-06-14 12:42:13 +02:00 committed by Thomas Lamprecht
parent 6e167f9a9a
commit 4fb92ae88a
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
PVE/API2/Nodes.pm
View File

@ -949,7 +949,7 @@ __PACKAGE__->register_method ({
node => get_standard_option('pve-node'), node => get_standard_option('pve-node'),
cmd => { cmd => {
type => 'string', type => 'string',
description => "Run specific command or default to login.", description => "Run specific command or default to login (requires 'root\@pam')",
enum => [keys %$shell_cmd_map], enum => [keys %$shell_cmd_map],
optional => 1, optional => 1,
default => 'login', default => 'login',
@ -1000,7 +1000,7 @@ __PACKAGE__->register_method ({
raise_perm_exc("realm != pam") if $realm ne 'pam'; raise_perm_exc("realm != pam") if $realm ne 'pam';
if (defined($param->{cmd}) && $param->{cmd} eq 'upgrade' && $user ne 'root@pam') { if (defined($param->{cmd}) && $param->{cmd} ne 'login' && $user ne 'root@pam') {
raise_perm_exc('user != root@pam'); raise_perm_exc('user != root@pam');
} }
@ -1089,7 +1089,7 @@ __PACKAGE__->register_method ({
node => get_standard_option('pve-node'), node => get_standard_option('pve-node'),
cmd => { cmd => {
type => 'string', type => 'string',
description => "Run specific command or default to login.", description => "Run specific command or default to login (requires 'root\@pam')",
enum => [keys %$shell_cmd_map], enum => [keys %$shell_cmd_map],
optional => 1, optional => 1,
default => 'login', default => 'login',
@ -1223,7 +1223,7 @@ __PACKAGE__->register_method ({
proxy => get_standard_option('spice-proxy', { optional => 1 }), proxy => get_standard_option('spice-proxy', { optional => 1 }),
cmd => { cmd => {
type => 'string', type => 'string',
description => "Run specific command or default to login.", description => "Run specific command or default to login (requires 'root\@pam')",
enum => [keys %$shell_cmd_map], enum => [keys %$shell_cmd_map],
optional => 1, optional => 1,
default => 'login', default => 'login',
@ -1248,7 +1248,7 @@ __PACKAGE__->register_method ({
raise_perm_exc("realm != pam") if $realm ne 'pam'; raise_perm_exc("realm != pam") if $realm ne 'pam';
if (defined($param->{cmd}) && $param->{cmd} eq 'upgrade' && $user ne 'root@pam') { if (defined($param->{cmd}) && $param->{cmd} ne 'login' && $user ne 'root@pam') {
raise_perm_exc('user != root@pam'); raise_perm_exc('user != root@pam');
} }