Start VM via CMD line as Non-root user

G

gregorypeck

New Member
Nov 30, 2019
16
0
1
Hello there,
Could somebody please help:

I need a non-root user (ncuser) to start a VM via the shell/command line.
I created a user (with adduser) and then assigned permissions as "Administrator" in the GUI.
In the GUI I can succesfully start a VM when logged in as the ncuser.

However, if I attempting via shell (command /usr/sbin/qm start 1022) with the same ncuser then I get the error:
ipcc_send_rec[1] failed: No such file or directory
ipcc_send_rec[2] failed: No such file or directory
ipcc_send_rec[3] failed: No such file or directory
please run as root

(If I do the same in the shell but as the root user then it works fine and this VM succesfully starts.)

Which additional permissions do I need to give this user ncuser to allow to start a VM from the CMD line without root rights?

Thanks a lot!
 
Last edited:
that's not possible within PVE - the CLI tools are root only. you can give a user limited root access via sudo (e.g., to only allow 'qm start XXX')
 
fabian said:
that's not possible within PVE - the CLI tools are root only. you can give a user limited root access via sudo (e.g., to only allow 'qm start XXX')
Click to expand...


I tried what you suggest via visudo. However, there appears not to be sudo installed, nor visudo, and also no etc/sudoers file existent where I could easily grant one user limited root access without password prompt (i.e. by entering a simple line, i.e. "user ALL = NOPASSWD: /usr/sbin/qm start".)

What is the easiest & safest way to allow a non-root user not to be prompted for a password for one specific shell command in Proxmoxl?
Thanks!
 
Last edited:
P.S.
I did notice that there is a file named "zfs" in the folder /etc/sudoers.d, which I can open with nano.
Could I just append with a line "user ALL = NOPASSWD: /usr/sbin/qm start" in there, or will that break things? If yes, I suppose I then would still need to install sudo with "apt-get install sudo" as root, to allow the user to run in the command line "sudo /usr/sbin/qm start xxx", correct?
 
Last edited:
BobhWasatch said:
You will need to apt-get install sudo. Then you can add files to that /etc/sudoers.d directory. I would not modify existing ones because the package that owns them might overwrite your changes.
Click to expand...

Thanks. Here the overall solution, for who-ever needs this:

With root:

apt-get install sudo

This creates a file named sudoers in /etc

As root:


With Sudo visudo I can now add a line to sudoers.


ncuser ALL = NOPASSWD: /usr/sbin/qm start 101


Now the non-root user called ncuser can run the command „sudo /usr/sbin/qm start 101“ without password prompt.


This works well.

The rest of the sudoers file I left as per standard, and I have not chaned rights/permissions/ownership. I hope this does not alter the Proxmox system‘s safety/“Hackability“ in any way?.

See sudoers file:
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any comman
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
ncuser ALL = NOPASSWD: /usr/sbin/qm start 101

I hope that is useful for others!

Please let me know if you see any security risks with installing sudo.
 
Last edited:
gregorypeck said:
Thanks. Here the overall solution, for who-ever needs this:

With root:

apt-get install sudo

This creates a file named sudoers in /etc

As root:


With Sudo visudo I can now add a line to sudoers.


ncuser ALL = NOPASSWD: /usr/sbin/qm start 101


Now the non-root user called ncuser can run the command „sudo /usr/sbin/qm start 101“ without password prompt.


This works well.

The rest of the sudoers file I left as per standard, and I have not chaned rights/permissions/ownership. I hope this does not alter the Proxmox system‘s safety/“Hackability“ in any way?.
Click to expand...

the default sudo setup does not interfere with PVE, and should be safe (modulo any bugs in sudo itself, which do happen)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom