From a8f268afbb727ad0ba22724290fd3f8cd56a2e87 Mon Sep 17 00:00:00 2001 From: Dietmar Maurer Date: Sat, 16 Feb 2019 12:19:13 +0100 Subject: [PATCH] fix configuration dir permission Carefully set and check permissions ... --- debian/dirs | 1 - src/bin/proxmox-backup-api.rs | 5 ++- src/bin/proxmox-backup-proxy.rs | 5 +-- src/config.rs | 66 +++++++++++++++++++++++++++++++++ src/lib.rs | 5 +-- 5 files changed, 72 insertions(+), 10 deletions(-) delete mode 100644 debian/dirs create mode 100644 src/config.rs diff --git a/debian/dirs b/debian/dirs deleted file mode 100644 index c2915526..00000000 --- a/debian/dirs +++ /dev/null @@ -1 +0,0 @@ -/etc/proxmox-backup diff --git a/src/bin/proxmox-backup-api.rs b/src/bin/proxmox-backup-api.rs index 291b0288..29ab6d6b 100644 --- a/src/bin/proxmox-backup-api.rs +++ b/src/bin/proxmox-backup-api.rs @@ -5,6 +5,7 @@ use proxmox_backup::api::router::*; use proxmox_backup::api::config::*; use proxmox_backup::server::rest::*; use proxmox_backup::auth_helpers::*; +use proxmox_backup::config; use failure::*; use lazy_static::lazy_static; @@ -28,7 +29,9 @@ fn run() -> Result<(), Error> { log::LevelFilter::Info, Some("proxmox-backup-api")) { bail!("unable to inititialize syslog - {}", err); - } + } + + config::create_configdir()?; if let Err(err) = generate_auth_key() { bail!("unable to generate auth key - {}", err); diff --git a/src/bin/proxmox-backup-proxy.rs b/src/bin/proxmox-backup-proxy.rs index c64ce8a6..7eca6f17 100644 --- a/src/bin/proxmox-backup-proxy.rs +++ b/src/bin/proxmox-backup-proxy.rs @@ -56,10 +56,7 @@ fn run() -> Result<(), Error> { let rest_server = RestServer::new(config); let cert_path = configdir!("/proxy.pfx"); - let raw_cert = match tools::file_get_contents(cert_path) { - Ok(data) => data, - Err(err) => bail!("unable to read certificate {} - {}", cert_path, err), - }; + let raw_cert = tools::file_get_contents(cert_path)?; let identity = match native_tls::Identity::from_pkcs12(&raw_cert, "") { Ok(data) => data, diff --git a/src/config.rs b/src/config.rs new file mode 100644 index 00000000..e648a203 --- /dev/null +++ b/src/config.rs @@ -0,0 +1,66 @@ +//! Proxmox Backup Server Configuration library +//! +//! This library contains helper to read, parse and write the +//! configuration files. + +use failure::*; + +pub mod datastore; + +use crate::tools; +use crate::buildcfg; + +/// Check configuration directory permissions +/// +/// For security reasons, we want to make sure they are set correctly: +/// * owned by 'backup' user/group +/// * nobody else can read (mode 0700) +pub fn check_confidir_permissions() -> Result<(), Error> { + + let cfgdir = buildcfg::CONFIGDIR; + let (backup_uid, backup_gid) = tools::getpwnam_ugid("backup")?; + + try_block!({ + let stat = nix::sys::stat::stat(cfgdir)?; + + if stat.st_uid != backup_uid { + bail!("wrong user ({} != {})", stat.st_uid, backup_uid); + } + if stat.st_gid != backup_gid { + bail!("wrong group ({} != {})", stat.st_gid, backup_gid); + } + + let perm = stat.st_mode & 0o777; + if perm != 0o700 { + bail!("wrong permission ({:o} != {:o})", perm, 0o700); + } + Ok(()) + }).map_err(|err| format_err!("configuration directory '{}' permission problem - {}", cfgdir, err)) +} + +pub fn create_configdir() -> Result<(), Error> { + + use nix::sys::stat::Mode; + + let cfgdir = buildcfg::CONFIGDIR; + let (backup_uid, backup_gid) = tools::getpwnam_ugid("backup")?; + + match nix::unistd::mkdir(cfgdir, Mode::from_bits_truncate(0o700)) { + Ok(()) => {}, + Err(nix::Error::Sys(nix::errno::Errno::EEXIST)) => { + check_confidir_permissions()?; + return Ok(()); + }, + Err(err) => bail!("unable to create configuration directory '{}' - {}", cfgdir, err), + } + + try_block!({ + let uid = nix::unistd::Uid::from_raw(backup_uid); + let gid = nix::unistd::Gid::from_raw(backup_gid); + + nix::unistd::chown(cfgdir, Some(uid), Some(gid))?; + + Ok(()) + }).map_err(|err: Error| format_err!( + "unable to set configuration directory '{}' permissions - {}", cfgdir, err)) +} diff --git a/src/lib.rs b/src/lib.rs index f49930d3..b6f85f7b 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -41,10 +41,7 @@ pub mod section_config; pub mod backup; -pub mod config { - - pub mod datastore; -} +pub mod config; pub mod storage {