Valid OIDC login (full admin) - still needs root@pam to change features on LXC container

G

Glowsome

Renowned Member
Jul 25, 2017
184
45
68
51
The Netherlands
www.comsolve.nl
Situation:
  • OIDC correctly setup
  • OIDC user is part of Administrators - group, with the correct rights.
  • change LXC options ( ie. nesting/Fuse tick if unticked)
Result:
1664844342281.png

Is this by design? - in need of explanation here ...

.. i mean i explicitly went for a federative method so i have control on authentication and give correct permissions/authorisations this way on a corporate level, but even then i am still dependant on root@pam for some tasks.

- Glowsome
 
yes, there are currently a few things that only 'root@pam' can do, there are unapplied patches on the list [0] to introduce a 'superuser' privilege instead, but i am not sure about the status of that series
0: https://lists.proxmox.com/pipermail/pve-devel/2022-June/053150.html

EDIT: i should note that the things that requires root are mostly *very dangerous* operations that should not be done lightly

e.g. in your example you try to enable features for a privileged container which can be very dangerous as you basically remove parts of the abstraction layer between host and guest
(note that privileged containers are not recommended in general for isolation; i'd use unprivileged ones instead)
 
Last edited:
dcsapak said:
yes, there are currently a few things that only 'root@pam' can do, there are unapplied patches on the list [0] to introduce a 'superuser' privilege instead, but i am not sure about the status of that series
0: https://lists.proxmox.com/pipermail/pve-devel/2022-June/053150.html

EDIT: i should note that the things that requires root are mostly *very dangerous* operations that should not be done lightly

e.g. in your example you try to enable features for a privileged container which can be very dangerous as you basically remove parts of the abstraction layer between host and guest
(note that privileged containers are not recommended in general for isolation; i'd use unprivileged ones instead)
Click to expand...
I understand your concern in regards of an action in the *very dangerous* categories.
Do not want 'root@pam' execute and to be shown in a/the log, but my federated user which is a 1:1 relation to a person in a/the team ..
So for auditing purposes would like to see no root@pam - executed actions.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom