api limitations to root@pam

M

maennlse

Renowned Member
Jul 31, 2013
4
0
66
Hi,
we currently try to deploy several lxc containers that require a hookscript via API (using salt-cloud).

basically everything is working as long as we are using the root@pam user.
due to security reasons we'd like to avoid using the root user for automated 'actions'.

so, right now we patch /usr/share/perl5/PVE/LXC.pm to also allow an additional 'technical user' to add a hookscript (and basically more...):
Code: 
--- LXC.pm.orig 2021-12-02 11:10:47.522600770 +0100
+++ LXC.pm      2021-12-02 11:10:58.438891661 +0100
@@ -1212,7 +1212,7 @@
 sub check_ct_modify_config_perm {
     my ($rpcenv, $authuser, $vmid, $pool, $newconf, $delete) = @_;

-    return 1 if $authuser eq 'root@pam';
+    return 1 if ($authuser eq 'root@pam' || $authuser eq 'someuser@pve');
     my $storage_cfg = PVE::Storage::config();

     my $check = sub {


in an older post (that i couldn't find anymore) i already read that this is actually a 'security feature' of proxmox :)

so, my actual question: are there plans to change this? maybe some configurable user/group that is allowed or can be granted for these currently 'root only' features?
or is there any other way to 'work around' this limitation?

as the hookscript is only required to add an openssh-server to the default rockylinux image, alternatively the question could be: is there any other way (that i'm currently not aware of) to add additional packages to the image?

thanks for your great product and merry christmas ;)
Sebastian
 
hi,

maennlse said:
so, my actual question: are there plans to change this? maybe some configurable user/group that is allowed or can be granted for these currently 'root only' features?
or is there any other way to 'work around' this limitation?
Click to expand...
yes, it's planned :) see here on our bugtracker [0]. can't promise a timeline at the moment as there are some other things to consider in the API (not only the LXC, but also need to think of VMs, storage and all kinds of other things that interplay).

but i guess for now your patch is enough for your use case, unfortunately i don't have a better idea at the moment...

you can follow the bug report for any updates on the topic

[0]: https://bugzilla.proxmox.com/show_bug.cgi?id=2582
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back