tyler
/
proxmox-backup
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix #3060:: improve get_owner error handling 

log invalid owners to system log, and continue with next group just as
if permission checks fail for the following operations:
- verify store with limited permissions
- list store groups
- list store snapshots

all other call sites either handle it correctly already (sync/pull), or
operate on a single group/snapshot and can bubble up the error.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2020-11-10 12:08:13 +01:00 committed by Dietmar Maurer
parent c5608cf86c
commit 414c23facb
2 changed files with 20 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/api2/admin/datastore.rs
View File

@ -187,7 +187,13 @@ fn list_groups(
let group = info.backup_dir.group(); let group = info.backup_dir.group();
let list_all = (user_privs & PRIV_DATASTORE_AUDIT) != 0; let list_all = (user_privs & PRIV_DATASTORE_AUDIT) != 0;
let owner = datastore.get_owner(group)?; let owner = match datastore.get_owner(group) {
Ok(auth_id) => auth_id,
Err(err) => {
println!("Failed to get owner of group '{}' - {}", group, err);
continue;
},
};
if !list_all && check_backup_owner(&owner, &auth_id).is_err() { if !list_all && check_backup_owner(&owner, &auth_id).is_err() {
continue; continue;
} }
@ -369,7 +375,13 @@ pub fn list_snapshots (
} }
let list_all = (user_privs & PRIV_DATASTORE_AUDIT) != 0; let list_all = (user_privs & PRIV_DATASTORE_AUDIT) != 0;
let owner = datastore.get_owner(group)?; let owner = match datastore.get_owner(group) {
Ok(auth_id) => auth_id,
Err(err) => {
println!("Failed to get owner of group '{}' - {}", group, err);
continue;
},
};
if !list_all && check_backup_owner(&owner, &auth_id).is_err() { if !list_all && check_backup_owner(&owner, &auth_id).is_err() {
continue; continue;

7
src/backup/verify.rs
View File

@ -516,7 +516,12 @@ pub fn verify_all_backups(
&& !owner.is_token() && !owner.is_token()
&& group_owner.user() == owner.user()) && group_owner.user() == owner.user())
}, },
Err(_) => false, Err(err) => {
// intentionally not in task log
// the task user might not be allowed to see this group!
println!("Failed to get owner of group '{}' - {}", group, err);
false
},
} }
} else { } else {
true true