Start VM via CMD line as Non-root user

[gregorypeck]

Hello there,
Could somebody please help:

I need a non-root user (ncuser) to start a VM via the shell/command line.
I created a user (with adduser) and then assigned permissions as "Administrator" in the GUI.
In the GUI I can succesfully start a VM when logged in as the ncuser.

However, if I attempting via shell (command /usr/sbin/qm start 1022) with the same ncuser then I get the error:
ipcc_send_rec[1] failed: No such file or directory
ipcc_send_rec[2] failed: No such file or directory
ipcc_send_rec[3] failed: No such file or directory
please run as root

(If I do the same in the shell but as the root user then it works fine and this VM succesfully starts.)

Which additional permissions do I need to give this user ncuser to allow to start a VM from the CMD line without root rights?

Thanks a lot!

 

[fabian]

that's not possible within PVE - the CLI tools are root only. you can give a user limited root access via sudo (e.g., to only allow 'qm start XXX')

 

[gregorypeck]

that's not possible within PVE - the CLI tools are root only. you can give a user limited root access via sudo (e.g., to only allow 'qm start XXX')

I tried what you suggest via visudo. However, there appears not to be sudo installed, nor visudo, and also no etc/sudoers file existent where I could easily grant one user limited root access without password prompt (i.e. by entering a simple line, i.e. "user ALL = NOPASSWD: /usr/sbin/qm start".)

What is the easiest & safest way to allow a non-root user not to be prompted for a password for one specific shell command in Proxmoxl?
Thanks!

 

[gregorypeck]

P.S.
I did notice that there is a file named "zfs" in the folder /etc/sudoers.d, which I can open with nano.
Could I just append with a line "user ALL = NOPASSWD: /usr/sbin/qm start" in there, or will that break things? If yes, I suppose I then would still need to install sudo with "apt-get install sudo" as root, to allow the user to run in the command line "sudo /usr/sbin/qm start xxx", correct?

 

[BobhWasatch]

You will need to apt-get install sudo. Then you can add files to that /etc/sudoers.d directory. I would not modify existing ones because the package that owns them might overwrite your changes.

 

[gregorypeck]

You will need to apt-get install sudo. Then you can add files to that /etc/sudoers.d directory. I would not modify existing ones because the package that owns them might overwrite your changes.

Thanks. Here the overall solution, for who-ever needs this:

With root:

apt-get install sudo

This creates a file named sudoers in /etc

As root:


With Sudo visudo I can now add a line to sudoers.


ncuser ALL = NOPASSWD: /usr/sbin/qm start 101


Now the non-root user called ncuser can run the command „sudo /usr/sbin/qm start 101“ without password prompt.


This works well.

The rest of the sudoers file I left as per standard, and I have not chaned rights/permissions/ownership. I hope this does not alter the Proxmox system‘s safety/“Hackability“ in any way?.

See sudoers file:
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any comman
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
ncuser ALL = NOPASSWD: /usr/sbin/qm start 101

I hope that is useful for others!

Please let me know if you see any security risks with installing sudo.

 

[fabian]

Thanks. Here the overall solution, for who-ever needs this:

With root:

apt-get install sudo

This creates a file named sudoers in /etc

As root:


With Sudo visudo I can now add a line to sudoers.


ncuser ALL = NOPASSWD: /usr/sbin/qm start 101


Now the non-root user called ncuser can run the command „sudo /usr/sbin/qm start 101“ without password prompt.


This works well.

The rest of the sudoers file I left as per standard, and I have not chaned rights/permissions/ownership. I hope this does not alter the Proxmox system‘s safety/“Hackability“ in any way?.

the default sudo setup does not interfere with PVE, and should be safe (modulo any bugs in sudo itself, which do happen)