fix configuration dir permission

Carefully set and check permissions ...

debian/dirs

@@ -1 +0,0 @@
-/etc/proxmox-backup

src/bin/proxmox-backup-api.rs

@@ -5,6 +5,7 @@ use proxmox_backup::api::router::*;
 use proxmox_backup::api::config::*;
 use proxmox_backup::server::rest::*;
 use proxmox_backup::auth_helpers::*;
+use proxmox_backup::config;
 
 use failure::*;
 use lazy_static::lazy_static;
@@ -28,7 +29,9 @@ fn run() -> Result<(), Error> {
         log::LevelFilter::Info,
         Some("proxmox-backup-api")) {
         bail!("unable to inititialize syslog - {}", err);
-     }
+    }
+
+    config::create_configdir()?;
 
     if let Err(err) = generate_auth_key() {
         bail!("unable to generate auth key - {}", err);

src/bin/proxmox-backup-proxy.rs

@@ -56,10 +56,7 @@ fn run() -> Result<(), Error> {
     let rest_server = RestServer::new(config);
 
     let cert_path = configdir!("/proxy.pfx");
-    let raw_cert = match tools::file_get_contents(cert_path) {
-        Ok(data) => data,
-        Err(err) => bail!("unable to read certificate {} - {}", cert_path, err),
-    };
+    let raw_cert = tools::file_get_contents(cert_path)?;
 
     let identity = match native_tls::Identity::from_pkcs12(&raw_cert, "") {
         Ok(data) => data,

src/config.rs

@@ -0,0 +1,66 @@
+//! Proxmox Backup Server Configuration library
+//!
+//! This library contains helper to read, parse and write the
+//! configuration files.
+
+use failure::*;
+
+pub mod datastore;
+
+use crate::tools;
+use crate::buildcfg;
+
+/// Check configuration directory permissions
+///
+/// For security reasons, we want to make sure they are set correctly:
+/// * owned by 'backup' user/group
+/// * nobody else can read (mode 0700)
+pub fn check_confidir_permissions() -> Result<(), Error> {
+
+    let cfgdir = buildcfg::CONFIGDIR;
+    let (backup_uid, backup_gid) = tools::getpwnam_ugid("backup")?;
+
+    try_block!({
+        let stat = nix::sys::stat::stat(cfgdir)?;
+
+        if stat.st_uid != backup_uid {
+            bail!("wrong user ({} != {})",  stat.st_uid, backup_uid);
+        }
+        if stat.st_gid != backup_gid {
+            bail!("wrong group ({} != {})",  stat.st_gid, backup_gid);
+        }
+
+        let perm = stat.st_mode & 0o777;
+        if perm != 0o700 {
+            bail!("wrong permission ({:o} != {:o})",  perm, 0o700);
+        }
+        Ok(())
+    }).map_err(|err| format_err!("configuration directory '{}' permission problem - {}", cfgdir, err))
+}
+
+pub fn create_configdir() -> Result<(), Error> {
+
+    use nix::sys::stat::Mode;
+
+    let cfgdir = buildcfg::CONFIGDIR;
+    let (backup_uid, backup_gid) = tools::getpwnam_ugid("backup")?;
+
+    match nix::unistd::mkdir(cfgdir, Mode::from_bits_truncate(0o700)) {
+        Ok(()) => {},
+        Err(nix::Error::Sys(nix::errno::Errno::EEXIST)) => {
+            check_confidir_permissions()?;
+            return Ok(());
+        },
+        Err(err) => bail!("unable to create configuration directory '{}' - {}", cfgdir, err),
+    }
+
+    try_block!({
+        let uid = nix::unistd::Uid::from_raw(backup_uid);
+        let gid = nix::unistd::Gid::from_raw(backup_gid);
+
+        nix::unistd::chown(cfgdir, Some(uid), Some(gid))?;
+
+        Ok(())
+    }).map_err(|err: Error| format_err!(
+        "unable to set configuration directory '{}' permissions - {}", cfgdir, err))
+}

src/lib.rs

@@ -41,10 +41,7 @@ pub mod section_config;
 
 pub mod backup;
 
-pub mod config {
-
-    pub mod datastore;
-}
+pub mod config;
 
 pub mod storage {