[proxmox-backup.git] / pbs-config / src / lib.rs

pub mod acl;
mod cached_user_info;
pub use cached_user_info::CachedUserInfo;
pub mod datastore;
pub mod domains;
pub mod drive;
pub mod key_config;
pub mod media_pool;
pub mod network;
pub mod remote;
pub mod sync;
pub mod tape_encryption_keys;
pub mod tape_job;
pub mod token_shadow;
pub mod traffic_control;
pub mod user;
pub mod verify;

mod config_version_cache;
pub use config_version_cache::ConfigVersionCache;

use anyhow::{format_err, Error};
use nix::unistd::{Gid, Group, Uid, User};

pub use pbs_buildcfg::{BACKUP_USER_NAME, BACKUP_GROUP_NAME};

/// Return User info for the 'backup' user (``getpwnam_r(3)``)
pub fn backup_user() -> Result<nix::unistd::User, Error> {
    if cfg!(test) {
        Ok(User::from_uid(Uid::current())?.expect("current user does not exist"))
    } else {
        User::from_name(BACKUP_USER_NAME)?
            .ok_or_else(|| format_err!("Unable to lookup '{}' user.", BACKUP_USER_NAME))
    }
}

/// Return Group info for the 'backup' group (``getgrnam(3)``)
pub fn backup_group() -> Result<nix::unistd::Group, Error> {
    if cfg!(test) {
        Ok(Group::from_gid(Gid::current())?.expect("current group does not exist"))
    } else {
        Group::from_name(BACKUP_GROUP_NAME)?
            .ok_or_else(|| format_err!("Unable to lookup '{}' group.", BACKUP_GROUP_NAME))
    }
}

pub struct BackupLockGuard(Option<std::fs::File>);

#[doc(hidden)]
/// Note: do not use for production code, this is only intended for tests
pub unsafe fn create_mocked_lock() -> BackupLockGuard {
    BackupLockGuard(None)
}

/// Open or create a lock file owned by user "backup" and lock it.
///
/// Owner/Group of the file is set to backup/backup.
/// File mode is 0660.
/// Default timeout is 10 seconds.
///
/// Note: This method needs to be called by user "root" or "backup".
pub fn open_backup_lockfile<P: AsRef<std::path::Path>>(
    path: P,
    timeout: Option<std::time::Duration>,
    exclusive: bool,
) -> Result<BackupLockGuard, Error> {
    let user = backup_user()?;
    let options = proxmox_sys::fs::CreateOptions::new()
        .perm(nix::sys::stat::Mode::from_bits_truncate(0o660))
        .owner(user.uid)
        .group(user.gid);

    let timeout = timeout.unwrap_or(std::time::Duration::new(10, 0));

    let file = proxmox_sys::fs::open_file_locked(&path, timeout, exclusive, options)?;
    Ok(BackupLockGuard(Some(file)))
}

/// Atomically write data to file owned by "root:backup" with permission "0640"
///
/// Only the superuser can write those files, but group 'backup' can read them.
pub fn replace_backup_config<P: AsRef<std::path::Path>>(
    path: P,
    data: &[u8],
) -> Result<(), Error> {
    let backup_user = backup_user()?;
    let mode = nix::sys::stat::Mode::from_bits_truncate(0o0640);
    // set the correct owner/group/permissions while saving file
    // owner(rw) = root, group(r)= backup
    let options = proxmox_sys::fs::CreateOptions::new()
        .perm(mode)
        .owner(nix::unistd::ROOT)
        .group(backup_user.gid);

    proxmox_sys::fs::replace_file(path, data, options, true)?;

    Ok(())
}

/// Atomically write data to file owned by "root:root" with permission "0600"
///
/// Only the superuser can read and write those files.
pub fn replace_secret_config<P: AsRef<std::path::Path>>(
    path: P,
    data: &[u8],
) -> Result<(), Error> {
    let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);
    // set the correct owner/group/permissions while saving file
    // owner(rw) = root, group(r)= root
    let options = proxmox_sys::fs::CreateOptions::new()
        .perm(mode)
        .owner(nix::unistd::ROOT)
        .group(nix::unistd::Gid::from_raw(0));

    proxmox_sys::fs::replace_file(path, data, options, true)?;

    Ok(())
}
Commit	Line	Data
8cc3760e	1	pub mod acl;
ba3d7e19 DM	2	mod cached_user_info;
ba3d7e19 DM	3	pub use cached_user_info::CachedUserInfo;
e7d4be9d	4	pub mod datastore;
21211748	5	pub mod domains;
1ce8e905	6	pub mod drive;
bbdda58b	7	pub mod key_config;
aad2d162	8	pub mod media_pool;
6f422880	9	pub mod network;
6afdda88	10	pub mod remote;
a4e5a0fc	11	pub mod sync;
5839c469	12	pub mod tape_encryption_keys;
e3619d41	13	pub mod tape_job;
1cb08a0a	14	pub mod token_shadow;
bfd12e87	15	pub mod traffic_control;
ba3d7e19	16	pub mod user;
802189f7	17	pub mod verify;
21211748	18
cb80ffc1 DM	19	mod config_version_cache;
cb80ffc1 DM	20	pub use config_version_cache::ConfigVersionCache;
ba3d7e19	21
21211748	22	use anyhow::{format_err, Error};
fddb9bcc	23	use nix::unistd::{Gid, Group, Uid, User};
21211748 DM	24
	25	pub use pbs_buildcfg::{BACKUP_USER_NAME, BACKUP_GROUP_NAME};
	26
	27	/// Return User info for the 'backup' user (``getpwnam_r(3)``)
	28	pub fn backup_user() -> Result<nix::unistd::User, Error> {
fddb9bcc DM	29	if cfg!(test) {
	30	Ok(User::from_uid(Uid::current())?.expect("current user does not exist"))
	31	} else {
	32	User::from_name(BACKUP_USER_NAME)?
	33	.ok_or_else(\|\| format_err!("Unable to lookup '{}' user.", BACKUP_USER_NAME))
	34	}
21211748 DM	35	}
	36
	37	/// Return Group info for the 'backup' group (``getgrnam(3)``)
	38	pub fn backup_group() -> Result<nix::unistd::Group, Error> {
fddb9bcc DM	39	if cfg!(test) {
	40	Ok(Group::from_gid(Gid::current())?.expect("current group does not exist"))
	41	} else {
	42	Group::from_name(BACKUP_GROUP_NAME)?
	43	.ok_or_else(\|\| format_err!("Unable to lookup '{}' group.", BACKUP_GROUP_NAME))
	44	}
21211748	45	}
fddb9bcc	46
ebf34e7e DC	47	pub struct BackupLockGuard(Option<std::fs::File>);
	48
	49	#[doc(hidden)]
	50	/// Note: do not use for production code, this is only intended for tests
	51	pub unsafe fn create_mocked_lock() -> BackupLockGuard {
	52	BackupLockGuard(None)
	53	}
21211748 DM	54
	55	/// Open or create a lock file owned by user "backup" and lock it.
	56	///
	57	/// Owner/Group of the file is set to backup/backup.
	58	/// File mode is 0660.
	59	/// Default timeout is 10 seconds.
	60	///
	61	/// Note: This method needs to be called by user "root" or "backup".
	62	pub fn open_backup_lockfile<P: AsRef<std::path::Path>>(
	63	path: P,
	64	timeout: Option<std::time::Duration>,
	65	exclusive: bool,
	66	) -> Result<BackupLockGuard, Error> {
	67	let user = backup_user()?;
25877d05	68	let options = proxmox_sys::fs::CreateOptions::new()
21211748 DM	69	.perm(nix::sys::stat::Mode::from_bits_truncate(0o660))
	70	.owner(user.uid)
	71	.group(user.gid);
	72
	73	let timeout = timeout.unwrap_or(std::time::Duration::new(10, 0));
	74
25877d05	75	let file = proxmox_sys::fs::open_file_locked(&path, timeout, exclusive, options)?;
ebf34e7e	76	Ok(BackupLockGuard(Some(file)))
21211748 DM	77	}
	78
	79	/// Atomically write data to file owned by "root:backup" with permission "0640"
	80	///
	81	/// Only the superuser can write those files, but group 'backup' can read them.
	82	pub fn replace_backup_config<P: AsRef<std::path::Path>>(
	83	path: P,
	84	data: &[u8],
	85	) -> Result<(), Error> {
	86	let backup_user = backup_user()?;
	87	let mode = nix::sys::stat::Mode::from_bits_truncate(0o0640);
	88	// set the correct owner/group/permissions while saving file
	89	// owner(rw) = root, group(r)= backup
25877d05	90	let options = proxmox_sys::fs::CreateOptions::new()
21211748 DM	91	.perm(mode)
	92	.owner(nix::unistd::ROOT)
	93	.group(backup_user.gid);
	94
25877d05	95	proxmox_sys::fs::replace_file(path, data, options, true)?;
21211748 DM	96
	97	Ok(())
	98	}
	99
	100	/// Atomically write data to file owned by "root:root" with permission "0600"
	101	///
	102	/// Only the superuser can read and write those files.
	103	pub fn replace_secret_config<P: AsRef<std::path::Path>>(
	104	path: P,
	105	data: &[u8],
	106	) -> Result<(), Error> {
	107	let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);
	108	// set the correct owner/group/permissions while saving file
	109	// owner(rw) = root, group(r)= root
25877d05	110	let options = proxmox_sys::fs::CreateOptions::new()
21211748 DM	111	.perm(mode)
	112	.owner(nix::unistd::ROOT)
	113	.group(nix::unistd::Gid::from_raw(0));
	114
25877d05	115	proxmox_sys::fs::replace_file(path, data, options, true)?;
21211748 DM	116
	117	Ok(())
	118	}