]> git.proxmox.com Git - proxmox-backup.git/blob - src/config.rs
projects / proxmox-backup.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
depend on libjs-qrcodejs
[proxmox-backup.git] / src / config.rs
1 //! Proxmox Backup Server Configuration library
2 //!
3 //! This library contains helper to read, parse and write the
4 //! configuration files.
5
6 use anyhow::{bail, format_err, Error};
7 use std::path::PathBuf;
8 use nix::sys::stat::Mode;
9 use openssl::rsa::{Rsa};
10 use openssl::x509::{X509Builder};
11 use openssl::pkey::PKey;
12
13 use proxmox::tools::fs::{CreateOptions, replace_file};
14 use proxmox::try_block;
15
16 use crate::buildcfg;
17
18 pub mod acl;
19 pub mod cached_user_info;
20 pub mod datastore;
21 pub mod network;
22 pub mod remote;
23 pub mod sync;
24 pub mod tfa;
25 pub mod token_shadow;
26 pub mod user;
27 pub mod verify;
28 pub mod drive;
29 pub mod media_pool;
30
31 /// Check configuration directory permissions
32 ///
33 /// For security reasons, we want to make sure they are set correctly:
34 /// * owned by 'backup' user/group
35 /// * nobody else can read (mode 0700)
36 pub fn check_configdir_permissions() -> Result<(), Error> {
37 let cfgdir = buildcfg::CONFIGDIR;
38
39 let backup_user = crate::backup::backup_user()?;
40 let backup_uid = backup_user.uid.as_raw();
41 let backup_gid = backup_user.gid.as_raw();
42
43 try_block!({
44 let stat = nix::sys::stat::stat(cfgdir)?;
45
46 if stat.st_uid != backup_uid {
47 bail!("wrong user ({} != {})", stat.st_uid, backup_uid);
48 }
49 if stat.st_gid != backup_gid {
50 bail!("wrong group ({} != {})", stat.st_gid, backup_gid);
51 }
52
53 let perm = stat.st_mode & 0o777;
54 if perm != 0o700 {
55 bail!("wrong permission ({:o} != {:o})", perm, 0o700);
56 }
57 Ok(())
58 })
59 .map_err(|err| {
60 format_err!(
61 "configuration directory '{}' permission problem - {}",
62 cfgdir,
63 err
64 )
65 })
66 }
67
68 pub fn create_configdir() -> Result<(), Error> {
69 let cfgdir = buildcfg::CONFIGDIR;
70
71 match nix::unistd::mkdir(cfgdir, Mode::from_bits_truncate(0o700)) {
72 Ok(()) => {}
73 Err(nix::Error::Sys(nix::errno::Errno::EEXIST)) => {
74 check_configdir_permissions()?;
75 return Ok(());
76 }
77 Err(err) => bail!(
78 "unable to create configuration directory '{}' - {}",
79 cfgdir,
80 err
81 ),
82 }
83
84 let backup_user = crate::backup::backup_user()?;
85
86 nix::unistd::chown(cfgdir, Some(backup_user.uid), Some(backup_user.gid))
87 .map_err(|err| {
88 format_err!(
89 "unable to set configuration directory '{}' permissions - {}",
90 cfgdir,
91 err
92 )
93 })
94 }
95
96 /// Update self signed node certificate.
97 pub fn update_self_signed_cert(force: bool) -> Result<(), Error> {
98
99 let backup_user = crate::backup::backup_user()?;
100
101 create_configdir()?;
102
103 let key_path = PathBuf::from(configdir!("/proxy.key"));
104 let cert_path = PathBuf::from(configdir!("/proxy.pem"));
105
106 if key_path.exists() && cert_path.exists() && !force { return Ok(()); }
107
108 let rsa = Rsa::generate(4096).unwrap();
109
110 let priv_pem = rsa.private_key_to_pem()?;
111
112 replace_file(
113 &key_path,
114 &priv_pem,
115 CreateOptions::new()
116 .perm(Mode::from_bits_truncate(0o0640))
117 .owner(nix::unistd::ROOT)
118 .group(backup_user.gid),
119 )?;
120
121 let mut x509 = X509Builder::new()?;
122
123 x509.set_version(2)?;
124
125 let today = openssl::asn1::Asn1Time::days_from_now(0)?;
126 x509.set_not_before(&today)?;
127 let expire = openssl::asn1::Asn1Time::days_from_now(365*1000)?;
128 x509.set_not_after(&expire)?;
129
130 let nodename = proxmox::tools::nodename();
131 let mut fqdn = nodename.to_owned();
132
133 let resolv_conf = crate::api2::node::dns::read_etc_resolv_conf()?;
134 if let Some(search) = resolv_conf["search"].as_str() {
135 fqdn.push('.');
136 fqdn.push_str(search);
137 }
138
139 // we try to generate an unique 'subject' to avoid browser problems
140 //(reused serial numbers, ..)
141 let uuid = proxmox::tools::uuid::Uuid::generate();
142
143 let mut subject_name = openssl::x509::X509NameBuilder::new()?;
144 subject_name.append_entry_by_text("O", "Proxmox Backup Server")?;
145 subject_name.append_entry_by_text("OU", &format!("{:X}", uuid))?;
146 subject_name.append_entry_by_text("CN", &fqdn)?;
147 let subject_name = subject_name.build();
148
149 x509.set_subject_name(&subject_name)?;
150 x509.set_issuer_name(&subject_name)?;
151
152 let bc = openssl::x509::extension::BasicConstraints::new(); // CA = false
153 let bc = bc.build()?;
154 x509.append_extension(bc)?;
155
156 let usage = openssl::x509::extension::ExtendedKeyUsage::new()
157 .server_auth()
158 .build()?;
159 x509.append_extension(usage)?;
160
161 let context = x509.x509v3_context(None, None);
162
163 let mut alt_names = openssl::x509::extension::SubjectAlternativeName::new();
164
165 alt_names.ip("127.0.0.1");
166 alt_names.ip("::1");
167
168 alt_names.dns("localhost");
169
170 if nodename != "localhost" { alt_names.dns(nodename); }
171 if nodename != fqdn { alt_names.dns(&fqdn); }
172
173 let alt_names = alt_names.build(&context)?;
174
175 x509.append_extension(alt_names)?;
176
177 let pub_pem = rsa.public_key_to_pem()?;
178 let pubkey = PKey::public_key_from_pem(&pub_pem)?;
179
180 x509.set_pubkey(&pubkey)?;
181
182 let context = x509.x509v3_context(None, None);
183 let ext = openssl::x509::extension::SubjectKeyIdentifier::new().build(&context)?;
184 x509.append_extension(ext)?;
185
186 let context = x509.x509v3_context(None, None);
187 let ext = openssl::x509::extension::AuthorityKeyIdentifier::new()
188 .keyid(true)
189 .build(&context)?;
190 x509.append_extension(ext)?;
191
192 let privkey = PKey::from_rsa(rsa)?;
193
194 x509.sign(&privkey, openssl::hash::MessageDigest::sha256())?;
195
196 let x509 = x509.build();
197 let cert_pem = x509.to_pem()?;
198
199 replace_file(
200 &cert_path,
201 &cert_pem,
202 CreateOptions::new()
203 .perm(Mode::from_bits_truncate(0o0640))
204 .owner(nix::unistd::ROOT)
205 .group(backup_user.gid),
206 )?;
207
208 Ok(())
209 }
Proxmox Backup Server and Client