proxmox-backup/src/config.rs

80 lines
2.1 KiB
Rust
Raw Normal View History

//! Proxmox Backup Server Configuration library
//!
//! This library contains helper to read, parse and write the
//! configuration files.
use failure::*;
use proxmox::tools::try_block;
use crate::buildcfg;
pub mod datastore;
/// Check configuration directory permissions
///
/// For security reasons, we want to make sure they are set correctly:
/// * owned by 'backup' user/group
/// * nobody else can read (mode 0700)
pub fn check_configdir_permissions() -> Result<(), Error> {
let cfgdir = buildcfg::CONFIGDIR;
let backup_user = crate::backup::backup_user()?;
let backup_uid = backup_user.uid.as_raw();
let backup_gid = backup_user.gid.as_raw();
try_block!({
let stat = nix::sys::stat::stat(cfgdir)?;
if stat.st_uid != backup_uid {
bail!("wrong user ({} != {})", stat.st_uid, backup_uid);
}
if stat.st_gid != backup_gid {
bail!("wrong group ({} != {})", stat.st_gid, backup_gid);
}
let perm = stat.st_mode & 0o777;
if perm != 0o700 {
bail!("wrong permission ({:o} != {:o})", perm, 0o700);
}
Ok(())
})
.map_err(|err| {
format_err!(
"configuration directory '{}' permission problem - {}",
cfgdir,
err
)
})
}
pub fn create_configdir() -> Result<(), Error> {
use nix::sys::stat::Mode;
let cfgdir = buildcfg::CONFIGDIR;
match nix::unistd::mkdir(cfgdir, Mode::from_bits_truncate(0o700)) {
Ok(()) => {}
Err(nix::Error::Sys(nix::errno::Errno::EEXIST)) => {
check_configdir_permissions()?;
return Ok(());
}
Err(err) => bail!(
"unable to create configuration directory '{}' - {}",
cfgdir,
err
),
}
let backup_user = crate::backup::backup_user()?;
nix::unistd::chown(cfgdir, Some(backup_user.uid), Some(backup_user.gid))
.map_err(|err| {
format_err!(
"unable to set configuration directory '{}' permissions - {}",
cfgdir,
err
)
})
}