]>
Commit | Line | Data |
---|---|---|
a8f268af DM |
1 | //! Proxmox Backup Server Configuration library |
2 | //! | |
3 | //! This library contains helper to read, parse and write the | |
4 | //! configuration files. | |
5 | ||
6 | use failure::*; | |
7 | ||
e18a6c9e DM |
8 | use proxmox::tools::try_block; |
9 | ||
a8f268af DM |
10 | use crate::buildcfg; |
11 | ||
5c20e2da WB |
12 | pub mod datastore; |
13 | ||
a8f268af DM |
14 | /// Check configuration directory permissions |
15 | /// | |
16 | /// For security reasons, we want to make sure they are set correctly: | |
17 | /// * owned by 'backup' user/group | |
18 | /// * nobody else can read (mode 0700) | |
8fdef1a8 | 19 | pub fn check_configdir_permissions() -> Result<(), Error> { |
a8f268af | 20 | let cfgdir = buildcfg::CONFIGDIR; |
e18a6c9e | 21 | let (backup_uid, backup_gid) = crate::tools::getpwnam_ugid("backup")?; |
a8f268af DM |
22 | |
23 | try_block!({ | |
24 | let stat = nix::sys::stat::stat(cfgdir)?; | |
25 | ||
26 | if stat.st_uid != backup_uid { | |
5c20e2da | 27 | bail!("wrong user ({} != {})", stat.st_uid, backup_uid); |
a8f268af DM |
28 | } |
29 | if stat.st_gid != backup_gid { | |
5c20e2da | 30 | bail!("wrong group ({} != {})", stat.st_gid, backup_gid); |
a8f268af DM |
31 | } |
32 | ||
33 | let perm = stat.st_mode & 0o777; | |
34 | if perm != 0o700 { | |
5c20e2da | 35 | bail!("wrong permission ({:o} != {:o})", perm, 0o700); |
a8f268af DM |
36 | } |
37 | Ok(()) | |
5c20e2da WB |
38 | }) |
39 | .map_err(|err| { | |
40 | format_err!( | |
41 | "configuration directory '{}' permission problem - {}", | |
42 | cfgdir, | |
43 | err | |
44 | ) | |
45 | }) | |
a8f268af DM |
46 | } |
47 | ||
48 | pub fn create_configdir() -> Result<(), Error> { | |
a8f268af DM |
49 | use nix::sys::stat::Mode; |
50 | ||
51 | let cfgdir = buildcfg::CONFIGDIR; | |
e18a6c9e | 52 | let (backup_uid, backup_gid) = crate::tools::getpwnam_ugid("backup")?; |
a8f268af DM |
53 | |
54 | match nix::unistd::mkdir(cfgdir, Mode::from_bits_truncate(0o700)) { | |
5c20e2da | 55 | Ok(()) => {} |
a8f268af | 56 | Err(nix::Error::Sys(nix::errno::Errno::EEXIST)) => { |
8fdef1a8 | 57 | check_configdir_permissions()?; |
a8f268af | 58 | return Ok(()); |
5c20e2da WB |
59 | } |
60 | Err(err) => bail!( | |
61 | "unable to create configuration directory '{}' - {}", | |
62 | cfgdir, | |
63 | err | |
64 | ), | |
a8f268af DM |
65 | } |
66 | ||
67 | try_block!({ | |
68 | let uid = nix::unistd::Uid::from_raw(backup_uid); | |
69 | let gid = nix::unistd::Gid::from_raw(backup_gid); | |
70 | ||
71 | nix::unistd::chown(cfgdir, Some(uid), Some(gid))?; | |
72 | ||
73 | Ok(()) | |
5c20e2da WB |
74 | }) |
75 | .map_err(|err: Error| { | |
76 | format_err!( | |
77 | "unable to set configuration directory '{}' permissions - {}", | |
78 | cfgdir, | |
79 | err | |
80 | ) | |
81 | }) | |
a8f268af | 82 | } |