[proxmox-backup.git] / src / config.rs

//! Proxmox Backup Server Configuration library
//!
//! This library contains helper to read, parse and write the
//! configuration files.

use failure::*;

use proxmox::tools::try_block;

use crate::buildcfg;

pub mod datastore;

/// Check configuration directory permissions
///
/// For security reasons, we want to make sure they are set correctly:
/// * owned by 'backup' user/group
/// * nobody else can read (mode 0700)
pub fn check_configdir_permissions() -> Result<(), Error> {
    let cfgdir = buildcfg::CONFIGDIR;
    let (backup_uid, backup_gid) = crate::tools::getpwnam_ugid("backup")?;

    try_block!({
        let stat = nix::sys::stat::stat(cfgdir)?;

        if stat.st_uid != backup_uid {
            bail!("wrong user ({} != {})", stat.st_uid, backup_uid);
        }
        if stat.st_gid != backup_gid {
            bail!("wrong group ({} != {})", stat.st_gid, backup_gid);
        }

        let perm = stat.st_mode & 0o777;
        if perm != 0o700 {
            bail!("wrong permission ({:o} != {:o})", perm, 0o700);
        }
        Ok(())
    })
    .map_err(|err| {
        format_err!(
            "configuration directory '{}' permission problem - {}",
            cfgdir,
            err
        )
    })
}

pub fn create_configdir() -> Result<(), Error> {
    use nix::sys::stat::Mode;

    let cfgdir = buildcfg::CONFIGDIR;
    let (backup_uid, backup_gid) = crate::tools::getpwnam_ugid("backup")?;

    match nix::unistd::mkdir(cfgdir, Mode::from_bits_truncate(0o700)) {
        Ok(()) => {}
        Err(nix::Error::Sys(nix::errno::Errno::EEXIST)) => {
            check_configdir_permissions()?;
            return Ok(());
        }
        Err(err) => bail!(
            "unable to create configuration directory '{}' - {}",
            cfgdir,
            err
        ),
    }

    try_block!({
        let uid = nix::unistd::Uid::from_raw(backup_uid);
        let gid = nix::unistd::Gid::from_raw(backup_gid);

        nix::unistd::chown(cfgdir, Some(uid), Some(gid))?;

        Ok(())
    })
    .map_err(|err: Error| {
        format_err!(
            "unable to set configuration directory '{}' permissions - {}",
            cfgdir,
            err
        )
    })
}
Commit	Line	Data
a8f268af DM	1	//! Proxmox Backup Server Configuration library
	2	//!
	3	//! This library contains helper to read, parse and write the
	4	//! configuration files.
	5
	6	use failure::*;
	7
e18a6c9e DM	8	use proxmox::tools::try_block;
e18a6c9e DM	9
a8f268af DM	10	use crate::buildcfg;
a8f268af DM	11
5c20e2da WB	12	pub mod datastore;
5c20e2da WB	13
a8f268af DM	14	/// Check configuration directory permissions
	15	///
	16	/// For security reasons, we want to make sure they are set correctly:
	17	/// * owned by 'backup' user/group
	18	/// * nobody else can read (mode 0700)
8fdef1a8	19	pub fn check_configdir_permissions() -> Result<(), Error> {
a8f268af	20	let cfgdir = buildcfg::CONFIGDIR;
e18a6c9e	21	let (backup_uid, backup_gid) = crate::tools::getpwnam_ugid("backup")?;
a8f268af DM	22
	23	try_block!({
	24	let stat = nix::sys::stat::stat(cfgdir)?;
	25
	26	if stat.st_uid != backup_uid {
5c20e2da	27	bail!("wrong user ({} != {})", stat.st_uid, backup_uid);
a8f268af DM	28	}
a8f268af DM	29	if stat.st_gid != backup_gid {
5c20e2da	30	bail!("wrong group ({} != {})", stat.st_gid, backup_gid);
a8f268af DM	31	}
	32
	33	let perm = stat.st_mode & 0o777;
	34	if perm != 0o700 {
5c20e2da	35	bail!("wrong permission ({:o} != {:o})", perm, 0o700);
a8f268af DM	36	}
a8f268af DM	37	Ok(())
5c20e2da WB	38	})
	39	.map_err(\|err\| {
	40	format_err!(
	41	"configuration directory '{}' permission problem - {}",
	42	cfgdir,
	43	err
	44	)
	45	})
a8f268af DM	46	}
	47
	48	pub fn create_configdir() -> Result<(), Error> {
a8f268af DM	49	use nix::sys::stat::Mode;
	50
	51	let cfgdir = buildcfg::CONFIGDIR;
e18a6c9e	52	let (backup_uid, backup_gid) = crate::tools::getpwnam_ugid("backup")?;
a8f268af DM	53
a8f268af DM	54	match nix::unistd::mkdir(cfgdir, Mode::from_bits_truncate(0o700)) {
5c20e2da	55	Ok(()) => {}
a8f268af	56	Err(nix::Error::Sys(nix::errno::Errno::EEXIST)) => {
8fdef1a8	57	check_configdir_permissions()?;
a8f268af	58	return Ok(());
5c20e2da WB	59	}
	60	Err(err) => bail!(
	61	"unable to create configuration directory '{}' - {}",
	62	cfgdir,
	63	err
	64	),
a8f268af DM	65	}
	66
	67	try_block!({
	68	let uid = nix::unistd::Uid::from_raw(backup_uid);
	69	let gid = nix::unistd::Gid::from_raw(backup_gid);
	70
	71	nix::unistd::chown(cfgdir, Some(uid), Some(gid))?;
	72
	73	Ok(())
5c20e2da WB	74	})
	75	.map_err(\|err: Error\| {
	76	format_err!(
	77	"unable to set configuration directory '{}' permissions - {}",
	78	cfgdir,
	79	err
	80	)
	81	})
a8f268af	82	}