use PVE::SafeSyslog;
use PVE::RPCEnvironment;
-use PVE::Cluster;
+use PVE::Cluster qw(cfs_read_file);
use PVE::RESTHandler;
use PVE::AccessControl;
use PVE::JSONSchema qw(get_standard_option);
my $token;
eval {
+ # test if user exists and is enabled
+ $rpcenv->check_user_enabled($username);
+
if ($param->{path} && $param->{privs}) {
my $privs = [ PVE::Tools::split_list($param->{privs}) ];
my $path = PVE::AccessControl::normalize_path($param->{path});
my $tmp;
if (($tmp = PVE::AccessControl::verify_ticket($param->{password}, 1)) &&
- ($tmp eq $username)) {
+ ($tmp eq 'root@pam' || $tmp eq $username)) {
# got valid ticket
+ # Note: root@pam can create tickets for other users
+
} else {
$username = PVE::AccessControl::authenticate_user($username, $param->{password});
}