tyler
/
proxmox-backup
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

api2: reader env: fix priv checks 

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2022-05-24 11:13:04 +02:00 committed by Thomas Lamprecht
parent ebfcf75e14
commit bb5c77fffa
1 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/api2/reader/mod.rs
View File

@ -17,9 +17,9 @@ use proxmox_schema::{BooleanSchema, ObjectSchema};
use proxmox_sys::sortable; use proxmox_sys::sortable;
use pbs_api_types::{ use pbs_api_types::{
Authid, Operation, BACKUP_ARCHIVE_NAME_SCHEMA, BACKUP_ID_SCHEMA, BACKUP_NAMESPACE_SCHEMA, Authid, DatastoreWithNamespace, Operation, BACKUP_ARCHIVE_NAME_SCHEMA, BACKUP_ID_SCHEMA,
BACKUP_TIME_SCHEMA, BACKUP_TYPE_SCHEMA, CHUNK_DIGEST_SCHEMA, DATASTORE_SCHEMA, BACKUP_NAMESPACE_SCHEMA, BACKUP_TIME_SCHEMA, BACKUP_TYPE_SCHEMA, CHUNK_DIGEST_SCHEMA,
PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_READ, DATASTORE_SCHEMA, PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_READ,
}; };
use pbs_config::CachedUserInfo; use pbs_config::CachedUserInfo;
use pbs_datastore::index::IndexFile; use pbs_datastore::index::IndexFile;
@ -78,21 +78,26 @@ fn upgrade_to_backup_reader_protocol(
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?; let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
let store = required_string_param(&param, "store")?.to_owned(); let store = required_string_param(&param, "store")?.to_owned();
let backup_ns = optional_ns_param(&param)?;
let store_with_ns = DatastoreWithNamespace {
store: store.clone(),
ns: backup_ns.clone(),
};
let user_info = CachedUserInfo::new()?; let user_info = CachedUserInfo::new()?;
let privs = user_info.lookup_privs(&auth_id, &["datastore", &store]); let privs = user_info.lookup_privs(&auth_id, &store_with_ns.acl_path());
let priv_read = privs & PRIV_DATASTORE_READ != 0; let priv_read = privs & PRIV_DATASTORE_READ != 0;
let priv_backup = privs & PRIV_DATASTORE_BACKUP != 0; let priv_backup = privs & PRIV_DATASTORE_BACKUP != 0;
// priv_backup needs owner check further down below! // priv_backup needs owner check further down below!
if !priv_read && !priv_backup { if !priv_read && !priv_backup {
bail!("no permissions on /datastore/{}", store); bail!("no permissions on /{}", store_with_ns.acl_path().join("/"));
} }
let datastore = DataStore::lookup_datastore(&store, Some(Operation::Read))?; let datastore = DataStore::lookup_datastore(&store, Some(Operation::Read))?;
let backup_ns = optional_ns_param(&param)?;
let backup_dir = pbs_api_types::BackupDir::deserialize(&param)?; let backup_dir = pbs_api_types::BackupDir::deserialize(&param)?;
let protocols = parts let protocols = parts