fix configuration dir permission
Carefully set and check permissions ...
This commit is contained in:
parent
aada2a9719
commit
a8f268afbb
1
debian/dirs
vendored
1
debian/dirs
vendored
@ -1 +0,0 @@
|
||||
/etc/proxmox-backup
|
@ -5,6 +5,7 @@ use proxmox_backup::api::router::*;
|
||||
use proxmox_backup::api::config::*;
|
||||
use proxmox_backup::server::rest::*;
|
||||
use proxmox_backup::auth_helpers::*;
|
||||
use proxmox_backup::config;
|
||||
|
||||
use failure::*;
|
||||
use lazy_static::lazy_static;
|
||||
@ -28,7 +29,9 @@ fn run() -> Result<(), Error> {
|
||||
log::LevelFilter::Info,
|
||||
Some("proxmox-backup-api")) {
|
||||
bail!("unable to inititialize syslog - {}", err);
|
||||
}
|
||||
}
|
||||
|
||||
config::create_configdir()?;
|
||||
|
||||
if let Err(err) = generate_auth_key() {
|
||||
bail!("unable to generate auth key - {}", err);
|
||||
|
@ -56,10 +56,7 @@ fn run() -> Result<(), Error> {
|
||||
let rest_server = RestServer::new(config);
|
||||
|
||||
let cert_path = configdir!("/proxy.pfx");
|
||||
let raw_cert = match tools::file_get_contents(cert_path) {
|
||||
Ok(data) => data,
|
||||
Err(err) => bail!("unable to read certificate {} - {}", cert_path, err),
|
||||
};
|
||||
let raw_cert = tools::file_get_contents(cert_path)?;
|
||||
|
||||
let identity = match native_tls::Identity::from_pkcs12(&raw_cert, "") {
|
||||
Ok(data) => data,
|
||||
|
66
src/config.rs
Normal file
66
src/config.rs
Normal file
@ -0,0 +1,66 @@
|
||||
//! Proxmox Backup Server Configuration library
|
||||
//!
|
||||
//! This library contains helper to read, parse and write the
|
||||
//! configuration files.
|
||||
|
||||
use failure::*;
|
||||
|
||||
pub mod datastore;
|
||||
|
||||
use crate::tools;
|
||||
use crate::buildcfg;
|
||||
|
||||
/// Check configuration directory permissions
|
||||
///
|
||||
/// For security reasons, we want to make sure they are set correctly:
|
||||
/// * owned by 'backup' user/group
|
||||
/// * nobody else can read (mode 0700)
|
||||
pub fn check_confidir_permissions() -> Result<(), Error> {
|
||||
|
||||
let cfgdir = buildcfg::CONFIGDIR;
|
||||
let (backup_uid, backup_gid) = tools::getpwnam_ugid("backup")?;
|
||||
|
||||
try_block!({
|
||||
let stat = nix::sys::stat::stat(cfgdir)?;
|
||||
|
||||
if stat.st_uid != backup_uid {
|
||||
bail!("wrong user ({} != {})", stat.st_uid, backup_uid);
|
||||
}
|
||||
if stat.st_gid != backup_gid {
|
||||
bail!("wrong group ({} != {})", stat.st_gid, backup_gid);
|
||||
}
|
||||
|
||||
let perm = stat.st_mode & 0o777;
|
||||
if perm != 0o700 {
|
||||
bail!("wrong permission ({:o} != {:o})", perm, 0o700);
|
||||
}
|
||||
Ok(())
|
||||
}).map_err(|err| format_err!("configuration directory '{}' permission problem - {}", cfgdir, err))
|
||||
}
|
||||
|
||||
pub fn create_configdir() -> Result<(), Error> {
|
||||
|
||||
use nix::sys::stat::Mode;
|
||||
|
||||
let cfgdir = buildcfg::CONFIGDIR;
|
||||
let (backup_uid, backup_gid) = tools::getpwnam_ugid("backup")?;
|
||||
|
||||
match nix::unistd::mkdir(cfgdir, Mode::from_bits_truncate(0o700)) {
|
||||
Ok(()) => {},
|
||||
Err(nix::Error::Sys(nix::errno::Errno::EEXIST)) => {
|
||||
check_confidir_permissions()?;
|
||||
return Ok(());
|
||||
},
|
||||
Err(err) => bail!("unable to create configuration directory '{}' - {}", cfgdir, err),
|
||||
}
|
||||
|
||||
try_block!({
|
||||
let uid = nix::unistd::Uid::from_raw(backup_uid);
|
||||
let gid = nix::unistd::Gid::from_raw(backup_gid);
|
||||
|
||||
nix::unistd::chown(cfgdir, Some(uid), Some(gid))?;
|
||||
|
||||
Ok(())
|
||||
}).map_err(|err: Error| format_err!(
|
||||
"unable to set configuration directory '{}' permissions - {}", cfgdir, err))
|
||||
}
|
@ -41,10 +41,7 @@ pub mod section_config;
|
||||
|
||||
pub mod backup;
|
||||
|
||||
pub mod config {
|
||||
|
||||
pub mod datastore;
|
||||
}
|
||||
pub mod config;
|
||||
|
||||
pub mod storage {
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user