Proxmox MCP Server

#!/bin/bash # Proxmox MCP Security Implementation Script # This script implements the restricted sudoers configuration for claude-user # # SECURITY REQUIREMENTS IMPLEMENTED: # - Blocks root@pam user modification # - Blocks main Proxmox node deletion # - Blocks /boot and critical system binary deletion # - Allows VM, container, storage, networking management # - Allows non-root user creation and management set -e # Colors for output RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' # No Color # Configuration paths SUDOERS_FILE="/etc/sudoers.d/claude-user" NEW_CONFIG_FILE="claude-user-restricted-sudoers" BACKUP_DIR="/etc/sudoers.d/backups" VALIDATION_SCRIPT="validate-security-restrictions.sh" echo "==============================================" echo "Proxmox MCP Security Implementation Script" echo "==============================================" echo "" # Verify running as root or with sudo if [ "$EUID" -ne 0 ] && [ -z "$SUDO_USER" ]; then echo -e "${RED}ERROR: This script must be run with sudo privileges${NC}" echo "Usage: sudo $0" exit 1 fi # Verify required files exist if [ ! -f "$NEW_CONFIG_FILE" ]; then echo -e "${RED}ERROR: Required configuration file not found: $NEW_CONFIG_FILE${NC}" echo "Please ensure all required files are in the current directory." exit 1 fi if [ ! -f "$VALIDATION_SCRIPT" ]; then echo -e "${RED}ERROR: Validation script not found: $VALIDATION_SCRIPT${NC}" echo "Please ensure all required files are in the current directory." exit 1 fi # Create backup directory echo -e "${BLUE}Creating backup directory...${NC}" mkdir -p "$BACKUP_DIR" # Step 1: Backup current configuration echo -e "${BLUE}Step 1: Backing up current sudoers configuration...${NC}" BACKUP_FILE="$BACKUP_DIR/claude-user.backup.$(date +%Y%m%d-%H%M%S)" if [ -f "$SUDOERS_FILE" ]; then cp "$SUDOERS_FILE" "$BACKUP_FILE" echo -e "${GREEN}✓ Current configuration backed up to: $BACKUP_FILE${NC}" else echo -e "${YELLOW}⚠ No existing sudoers file found at $SUDOERS_FILE${NC}" fi # Step 2: Validate new configuration syntax echo -e "${BLUE}Step 2: Validating new sudoers configuration syntax...${NC}" if visudo -c -f "$NEW_CONFIG_FILE"; then echo -e "${GREEN}✓ New configuration syntax is valid${NC}" else echo -e "${RED}✗ New configuration has syntax errors${NC}" echo "Please fix the configuration file and try again." exit 1 fi # Step 3: Show current permissions for comparison echo -e "${BLUE}Step 3: Current permissions analysis...${NC}" echo "Current sudoers entry for claude-user:" if [ -f "$SUDOERS_FILE" ]; then cat "$SUDOERS_FILE" else echo "No existing sudoers file" fi echo "" # Step 4: Deploy new configuration echo -e "${BLUE}Step 4: Deploying restricted sudoers configuration...${NC}" echo -e "${YELLOW}⚠ WARNING: This will replace the current sudoers configuration${NC}" echo -e "${YELLOW}⚠ Make sure you have console access in case of issues${NC}" echo "" read -p "Continue with deployment? (y/N): " -n 1 -r echo "" if [[ ! $REPLY =~ ^[Yy]$ ]]; then echo -e "${YELLOW}Deployment cancelled by user${NC}" exit 0 fi # Deploy the new configuration cp "$NEW_CONFIG_FILE" "$SUDOERS_FILE" echo -e "${GREEN}✓ New restricted configuration deployed${NC}" # Step 5: Verify deployment echo -e "${BLUE}Step 5: Verifying deployment...${NC}" if visudo -c; then echo -e "${GREEN}✓ Sudoers configuration is valid after deployment${NC}" else echo -e "${RED}✗ Critical error in sudoers configuration!${NC}" echo "Restoring backup..." if [ -f "$BACKUP_FILE" ]; then cp "$BACKUP_FILE" "$SUDOERS_FILE" echo -e "${YELLOW}⚠ Backup restored${NC}" fi exit 1 fi # Step 6: Test basic functionality echo -e "${BLUE}Step 6: Testing basic functionality...${NC}" # Test that we can still run sudo commands if sudo -u claude-user sudo -l >/dev/null 2>&1; then echo -e "${GREEN}✓ Basic sudo functionality working${NC}" else echo -e "${RED}✗ Basic sudo functionality failed${NC}" echo "This may indicate a configuration problem." fi # Step 7: Run comprehensive validation echo -e "${BLUE}Step 7: Running comprehensive security validation...${NC}" echo "Switching to claude-user for validation tests..." # Make validation script executable chmod +x "$VALIDATION_SCRIPT" # Run validation as claude-user if sudo -u claude-user "./$VALIDATION_SCRIPT"; then echo -e "${GREEN}✓ Security validation passed${NC}" else echo -e "${YELLOW}⚠ Some security tests failed${NC}" echo "Review the validation output above for details." fi # Step 8: Generate implementation report echo -e "${BLUE}Step 8: Generating implementation report...${NC}" REPORT_FILE="security-implementation-report-$(date +%Y%m%d-%H%M%S).txt" cat > "$REPORT_FILE" << EOF Proxmox MCP Security Implementation Report ========================================== Implementation Date: $(date) Implemented By: $(whoami) Hostname: $(hostname) CONFIGURATION CHANGES: - Old Configuration: Unrestricted sudo access (ALL:ALL) ALL NOPASSWD - New Configuration: Restricted sudoers with command-specific permissions - Backup Location: $BACKUP_FILE SECURITY CONTROLS IMPLEMENTED: ✓ Blocked root@pam user modification ✓ Blocked main Proxmox node deletion ✓ Blocked /boot and critical system file deletion ✓ Blocked dangerous system operations (dd, mkfs, etc.) ✓ Maintained VM and container management capabilities ✓ Maintained storage and network management capabilities ✓ Maintained non-root user management capabilities ✓ Maintained system monitoring capabilities VALIDATION RESULTS: $(sudo -u claude-user "./$VALIDATION_SCRIPT" 2>&1 | tail -10) FILES CREATED: - Restricted sudoers: $SUDOERS_FILE - Backup: $BACKUP_FILE - Validation script: $VALIDATION_SCRIPT - Implementation report: $REPORT_FILE ROLLBACK PROCEDURE (if needed): sudo cp "$BACKUP_FILE" "$SUDOERS_FILE" sudo visudo -c NEXT STEPS: 1. Monitor sudo logs: sudo tail -f /var/log/auth.log | grep claude-user 2. Test operational workflows 3. Run periodic security validations 4. Review and update restrictions as needed For detailed security analysis, see: SECURITY-ANALYSIS-AND-IMPLEMENTATION.md EOF echo -e "${GREEN}✓ Implementation report saved to: $REPORT_FILE${NC}" # Step 9: Final summary echo "" echo "==============================================" echo "IMPLEMENTATION SUMMARY" echo "==============================================" echo -e "${GREEN}✓ Security restrictions successfully implemented${NC}" echo -e "${GREEN}✓ Configuration validated and deployed${NC}" echo -e "${GREEN}✓ Backup created for rollback if needed${NC}" echo -e "${GREEN}✓ Comprehensive testing completed${NC}" echo "" echo -e "${BLUE}Key Files:${NC}" echo " - Active Configuration: $SUDOERS_FILE" echo " - Backup: $BACKUP_FILE" echo " - Validation Script: $VALIDATION_SCRIPT" echo " - Implementation Report: $REPORT_FILE" echo " - Security Documentation: SECURITY-ANALYSIS-AND-IMPLEMENTATION.md" echo "" echo -e "${BLUE}Security Status:${NC}" echo " - Root user modification: ${RED}BLOCKED${NC}" echo " - Critical file deletion: ${RED}BLOCKED${NC}" echo " - Node deletion: ${RED}BLOCKED${NC}" echo " - VM management: ${GREEN}ALLOWED${NC}" echo " - Storage management: ${GREEN}ALLOWED${NC}" echo " - Network management: ${GREEN}ALLOWED${NC}" echo " - Non-root user management: ${GREEN}ALLOWED${NC}" echo "" echo -e "${YELLOW}⚠ IMPORTANT:${NC}" echo " - Test all operational workflows to ensure functionality" echo " - Monitor sudo logs for any blocked legitimate operations" echo " - Keep backup file for emergency rollback" echo " - Review security documentation for ongoing maintenance" echo "" echo -e "${GREEN}✓ Proxmox MCP security implementation completed successfully!${NC}"