src/config.rs

   1 //! Proxmox Backup Server Configuration library
   2 //!
   3 //! This library contains helper to read, parse and write the
   4 //! configuration files.
   5
   6 use failure::*;
   7
   8 pub mod datastore;
   9
  10 use crate::tools;
  11 use crate::buildcfg;
  12
  13 /// Check configuration directory permissions
  14 ///
  15 /// For security reasons, we want to make sure they are set correctly:
  16 /// * owned by 'backup' user/group
  17 /// * nobody else can read (mode 0700)
  18 pub fn check_configdir_permissions() -> Result<(), Error> {
  19
  20     let cfgdir = buildcfg::CONFIGDIR;
  21     let (backup_uid, backup_gid) = tools::getpwnam_ugid("backup")?;
  22
  23     try_block!({
  24         let stat = nix::sys::stat::stat(cfgdir)?;
  25
  26         if stat.st_uid != backup_uid {
  27             bail!("wrong user ({} != {})",  stat.st_uid, backup_uid);
  28         }
  29         if stat.st_gid != backup_gid {
  30             bail!("wrong group ({} != {})",  stat.st_gid, backup_gid);
  31         }
  32
  33         let perm = stat.st_mode & 0o777;
  34         if perm != 0o700 {
  35             bail!("wrong permission ({:o} != {:o})",  perm, 0o700);
  36         }
  37         Ok(())
  38     }).map_err(|err| format_err!("configuration directory '{}' permission problem - {}", cfgdir, err))
  39 }
  40
  41 pub fn create_configdir() -> Result<(), Error> {
  42
  43     use nix::sys::stat::Mode;
  44
  45     let cfgdir = buildcfg::CONFIGDIR;
  46     let (backup_uid, backup_gid) = tools::getpwnam_ugid("backup")?;
  47
  48     match nix::unistd::mkdir(cfgdir, Mode::from_bits_truncate(0o700)) {
  49         Ok(()) => {},
  50         Err(nix::Error::Sys(nix::errno::Errno::EEXIST)) => {
  51             check_configdir_permissions()?;
  52             return Ok(());
  53         },
  54         Err(err) => bail!("unable to create configuration directory '{}' - {}", cfgdir, err),
  55     }
  56
  57     try_block!({
  58         let uid = nix::unistd::Uid::from_raw(backup_uid);
  59         let gid = nix::unistd::Gid::from_raw(backup_gid);
  60
  61         nix::unistd::chown(cfgdir, Some(uid), Some(gid))?;
  62
  63         Ok(())
  64     }).map_err(|err: Error| format_err!(
  65         "unable to set configuration directory '{}' permissions - {}", cfgdir, err))
  66 }