* [pbs-devel] applied: [PATCH backup 1/2] backup: add BACKUP_GROUP_NAME const and backup_group helper
@ 2020-08-26 8:31 Thomas Lamprecht
2020-08-26 8:31 ` [pbs-devel] applied: [PATCH backup 2/2] bin/backup-proxy: assert that daemon runs as backup user/group Thomas Lamprecht
0 siblings, 1 reply; 2+ messages in thread
From: Thomas Lamprecht @ 2020-08-26 8:31 UTC (permalink / raw)
To: pbs-devel
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
src/backup.rs | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/backup.rs b/src/backup.rs
index cb1426ab..1b2180bc 100644
--- a/src/backup.rs
+++ b/src/backup.rs
@@ -120,6 +120,8 @@ macro_rules! PROXMOX_BACKUP_READER_PROTOCOL_ID_V1 {
/// Unix system user used by proxmox-backup-proxy
pub const BACKUP_USER_NAME: &str = "backup";
+/// Unix system group used by proxmox-backup-proxy
+pub const BACKUP_GROUP_NAME: &str = "backup";
/// Return User info for the 'backup' user (``getpwnam_r(3)``)
pub fn backup_user() -> Result<nix::unistd::User, Error> {
@@ -129,6 +131,14 @@ pub fn backup_user() -> Result<nix::unistd::User, Error> {
}
}
+/// Return Group info for the 'backup' group (``getgrnam(3)``)
+pub fn backup_group() -> Result<nix::unistd::Group, Error> {
+ match nix::unistd::Group::from_name(BACKUP_GROUP_NAME)? {
+ Some(group) => Ok(group),
+ None => bail!("Unable to lookup backup user."),
+ }
+}
+
mod file_formats;
pub use file_formats::*;
--
2.27.0
^ permalink raw reply [flat|nested] 2+ messages in thread
* [pbs-devel] applied: [PATCH backup 2/2] bin/backup-proxy: assert that daemon runs as backup user/group
2020-08-26 8:31 [pbs-devel] applied: [PATCH backup 1/2] backup: add BACKUP_GROUP_NAME const and backup_group helper Thomas Lamprecht
@ 2020-08-26 8:31 ` Thomas Lamprecht
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2020-08-26 8:31 UTC (permalink / raw)
To: pbs-devel
Because if not, the backups it creates have bogus permissions and may
seem like they got broken once the daemon is started again with the
correct user/group.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
src/bin/proxmox-backup-proxy.rs | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/bin/proxmox-backup-proxy.rs b/src/bin/proxmox-backup-proxy.rs
index dd7904c3..dd081dfe 100644
--- a/src/bin/proxmox-backup-proxy.rs
+++ b/src/bin/proxmox-backup-proxy.rs
@@ -23,6 +23,15 @@ use proxmox_backup::api2::pull::do_sync_job;
fn main() -> Result<(), Error> {
proxmox_backup::tools::setup_safe_path_env();
+ let backup_uid = proxmox_backup::backup::backup_user()?.uid;
+ let backup_gid = proxmox_backup::backup::backup_group()?.gid;
+ let running_uid = nix::unistd::Uid::effective();
+ let running_gid = nix::unistd::Gid::effective();
+
+ if running_uid != backup_uid || running_gid != backup_gid {
+ bail!("proxy not running as backup user or group (got uid {} gid {})", running_uid, running_gid);
+ }
+
proxmox_backup::tools::runtime::main(run())
}
--
2.27.0
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-08-26 8:31 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-26 8:31 [pbs-devel] applied: [PATCH backup 1/2] backup: add BACKUP_GROUP_NAME const and backup_group helper Thomas Lamprecht
2020-08-26 8:31 ` [pbs-devel] applied: [PATCH backup 2/2] bin/backup-proxy: assert that daemon runs as backup user/group Thomas Lamprecht
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.