fix configuration dir permission

author Dietmar Maurer <dietmar@proxmox.com>

Sat, 16 Feb 2019 11:19:13 +0000 (12:19 +0100)

committer Dietmar Maurer <dietmar@proxmox.com>

Sat, 16 Feb 2019 11:19:13 +0000 (12:19 +0100)
author Dietmar Maurer <dietmar@proxmox.com>
Sat, 16 Feb 2019 11:19:13 +0000 (12:19 +0100)
committer Dietmar Maurer <dietmar@proxmox.com>
Sat, 16 Feb 2019 11:19:13 +0000 (12:19 +0100)
diff --git a/debian/dirs b/debian/dirs

deleted file mode 100644 (file)

index c291552..0000000
--- a/debian/dirs
+++ /dev/null
@@ -1 +0,0 @@
-/etc/proxmox-backup
diff --git a/src/bin/proxmox-backup-api.rs b/src/bin/proxmox-backup-api.rs

index 291b0288fa79273fdc0ce6680e1b1c9ae5753bb9..29ab6d6b1fb8d65aae4bfad7c0fc1a8add7758b6 100644 (file)
--- a/src/bin/proxmox-backup-api.rs
+++ b/src/bin/proxmox-backup-api.rs
@@ -5,6 +5,7 @@ use proxmox_backup::api::router::*;
  use proxmox_backup::api::config::*;
  use proxmox_backup::server::rest::*;
  use proxmox_backup::auth_helpers::*;
+use proxmox_backup::config;
  
  use failure::*;
  use lazy_static::lazy_static;
@@ -28,7 +29,9 @@ fn run() -> Result<(), Error> {
          log::LevelFilter::Info,
          Some("proxmox-backup-api")) {
          bail!("unable to inititialize syslog - {}", err);
-     }
+    }
+
+    config::create_configdir()?;
  
      if let Err(err) = generate_auth_key() {
          bail!("unable to generate auth key - {}", err);
diff --git a/src/bin/proxmox-backup-proxy.rs b/src/bin/proxmox-backup-proxy.rs

index c64ce8a6954e7f0b1ab075d16a1cbf1e470bf66a..7eca6f173eea88a1faed2331a6e1de15b6fb9516 100644 (file)
--- a/src/bin/proxmox-backup-proxy.rs
+++ b/src/bin/proxmox-backup-proxy.rs
@@ -56,10 +56,7 @@ fn run() -> Result<(), Error> {
      let rest_server = RestServer::new(config);
  
      let cert_path = configdir!("/proxy.pfx");
-    let raw_cert = match tools::file_get_contents(cert_path) {
-        Ok(data) => data,
-        Err(err) => bail!("unable to read certificate {} - {}", cert_path, err),
-    };
+    let raw_cert = tools::file_get_contents(cert_path)?;
  
      let identity = match native_tls::Identity::from_pkcs12(&raw_cert, "") {
          Ok(data) => data,
diff --git a/src/config.rs b/src/config.rs

new file mode 100644 (file)

index 0000000..e648a20
--- /dev/null
+++ b/src/config.rs
@@ -0,0 +1,66 @@
+//! Proxmox Backup Server Configuration library
+//!
+//! This library contains helper to read, parse and write the
+//! configuration files.
+
+use failure::*;
+
+pub mod datastore;
+
+use crate::tools;
+use crate::buildcfg;
+
+/// Check configuration directory permissions
+///
+/// For security reasons, we want to make sure they are set correctly:
+/// * owned by 'backup' user/group
+/// * nobody else can read (mode 0700)
+pub fn check_confidir_permissions() -> Result<(), Error> {
+
+    let cfgdir = buildcfg::CONFIGDIR;
+    let (backup_uid, backup_gid) = tools::getpwnam_ugid("backup")?;
+
+    try_block!({
+        let stat = nix::sys::stat::stat(cfgdir)?;
+
+        if stat.st_uid != backup_uid {
+            bail!("wrong user ({} != {})",  stat.st_uid, backup_uid);
+        }
+        if stat.st_gid != backup_gid {
+            bail!("wrong group ({} != {})",  stat.st_gid, backup_gid);
+        }
+
+        let perm = stat.st_mode & 0o777;
+        if perm != 0o700 {
+            bail!("wrong permission ({:o} != {:o})",  perm, 0o700);
+        }
+        Ok(())
+    }).map_err(|err| format_err!("configuration directory '{}' permission problem - {}", cfgdir, err))
+}
+
+pub fn create_configdir() -> Result<(), Error> {
+
+    use nix::sys::stat::Mode;
+
+    let cfgdir = buildcfg::CONFIGDIR;
+    let (backup_uid, backup_gid) = tools::getpwnam_ugid("backup")?;
+
+    match nix::unistd::mkdir(cfgdir, Mode::from_bits_truncate(0o700)) {
+        Ok(()) => {},
+        Err(nix::Error::Sys(nix::errno::Errno::EEXIST)) => {
+            check_confidir_permissions()?;
+            return Ok(());
+        },
+        Err(err) => bail!("unable to create configuration directory '{}' - {}", cfgdir, err),
+    }
+
+    try_block!({
+        let uid = nix::unistd::Uid::from_raw(backup_uid);
+        let gid = nix::unistd::Gid::from_raw(backup_gid);
+
+        nix::unistd::chown(cfgdir, Some(uid), Some(gid))?;
+
+        Ok(())
+    }).map_err(|err: Error| format_err!(
+        "unable to set configuration directory '{}' permissions - {}", cfgdir, err))
+}
diff --git a/src/lib.rs b/src/lib.rs

index f49930d3a69d73e4b886cf795149c4c250376e1d..b6f85f7b30dfeeb82f12a6b927bd26eb27831879 100644 (file)
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -41,10 +41,7 @@ pub mod section_config;
  
  pub mod backup;
  
-pub mod config {
-
-    pub mod datastore;
-}
+pub mod config;
  
  pub mod storage {
author	Dietmar Maurer <dietmar@proxmox.com>
	Sat, 16 Feb 2019 11:19:13 +0000 (12:19 +0100)
committer	Dietmar Maurer <dietmar@proxmox.com>
	Sat, 16 Feb 2019 11:19:13 +0000 (12:19 +0100)
debian/dirs	[deleted file]	patch \| blob \| blame \| history
src/bin/proxmox-backup-api.rs		patch \| blob \| blame \| history
src/bin/proxmox-backup-proxy.rs		patch \| blob \| blame \| history
src/config.rs	[new file with mode: 0644]	patch \| blob
src/lib.rs		patch \| blob \| blame \| history