From: Dominik Csapak <d.csapak@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup 08/11] server/prune_job: add proper permission checks to 'prune_datastore'
Date: Fri, 16 Jul 2021 10:53:25 +0200 [thread overview]
Message-ID: <20210716085328.3731574-9-d.csapak@proxmox.com> (raw)
In-Reply-To: <20210716085328.3731574-1-d.csapak@proxmox.com>
checks for PRIV_DATASTORE_MODIFY, or else if the auth_id is the backup
owner, and skips the group if not.
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
src/backup/datastore.rs | 2 +-
src/server/prune_job.rs | 15 ++++++++++++++-
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/src/backup/datastore.rs b/src/backup/datastore.rs
index 29700846..0a5a52d1 100644
--- a/src/backup/datastore.rs
+++ b/src/backup/datastore.rs
@@ -355,7 +355,7 @@ impl DataStore {
pub fn owns_backup(&self, backup_group: &BackupGroup, auth_id: &Authid) -> Result<bool, Error> {
let owner = self.get_owner(backup_group)?;
- Ok(check_backup_owner(owner, auth_id).is_ok())
+ Ok(check_backup_owner(&owner, auth_id).is_ok())
}
/// Set the backup owner.
diff --git a/src/server/prune_job.rs b/src/server/prune_job.rs
index 40ed555f..bbf53ade 100644
--- a/src/server/prune_job.rs
+++ b/src/server/prune_job.rs
@@ -6,6 +6,8 @@ use pbs_datastore::{task_log, task_warn};
use crate::{
api2::types::*,
+ config::acl::PRIV_DATASTORE_MODIFY,
+ config::cached_user_info::CachedUserInfo,
backup::{compute_prune_info, BackupInfo, DataStore, PruneOptions},
server::jobstate::Job,
server::WorkerTask,
@@ -13,6 +15,7 @@ use crate::{
pub fn prune_datastore(
worker: Arc<WorkerTask>,
+ auth_id: Authid,
prune_options: PruneOptions,
store: &str,
datastore: Arc<DataStore>,
@@ -31,11 +34,20 @@ pub fn prune_datastore(
);
}
+ let user_info = CachedUserInfo::new()?;
+ let privs = user_info.lookup_privs(&auth_id, &["datastore", store]);
+ let has_privs = privs & PRIV_DATASTORE_MODIFY != 0;
+
let base_path = datastore.base_path();
let groups = BackupInfo::list_backup_groups(&base_path)?;
for group in groups {
let list = group.list_backups(&base_path)?;
+
+ if !has_privs && !datastore.owns_backup(&group, &auth_id)? {
+ continue;
+ }
+
let mut prune_info = compute_prune_info(list, &prune_options)?;
prune_info.reverse(); // delete older snapshots first
@@ -83,6 +95,7 @@ pub fn do_prune_job(
let datastore = DataStore::lookup_datastore(&store)?;
let worker_type = job.jobtype().to_string();
+ let auth_id = auth_id.clone();
let upid_str = WorkerTask::new_thread(
&worker_type,
Some(job.jobname().to_string()),
@@ -95,7 +108,7 @@ pub fn do_prune_job(
task_log!(worker, "task triggered by schedule '{}'", event_str);
}
- let result = prune_datastore(worker.clone(), prune_options, &store, datastore);
+ let result = prune_datastore(worker.clone(), auth_id, prune_options, &store, datastore);
let status = worker.create_state(&result);
--
2.30.2
next prev parent reply other threads:[~2021-07-16 8:53 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-16 8:53 [pbs-devel] [PATCH proxmox-backup 00/11] add 'prune all' button to datastore content Dominik Csapak
2021-07-16 8:53 ` [pbs-devel] [PATCH proxmox-backup 01/11] api-types: move PRUNE_SCHEMA_KEEP_* to pbs-api-types Dominik Csapak
2021-07-16 8:53 ` [pbs-devel] [PATCH proxmox-backup 02/11] pbs-datastore/prune: make PruneOptions an api type Dominik Csapak
2021-07-16 8:53 ` [pbs-devel] [PATCH proxmox-backup 03/11] client: simplify prune api method Dominik Csapak
2021-07-16 8:53 ` [pbs-devel] [PATCH proxmox-backup 04/11] api: admin/datastore: simplify prune api call Dominik Csapak
2021-07-16 8:53 ` [pbs-devel] [PATCH proxmox-backup 05/11] backup/datastore: refactor check_backup_owner there Dominik Csapak
2021-07-16 8:53 ` [pbs-devel] [PATCH proxmox-backup 06/11] server/prune_job: factor out 'prune_datastore' Dominik Csapak
2021-07-16 8:53 ` [pbs-devel] [PATCH proxmox-backup 07/11] server/prune_job: add 'keep_all' logic to 'prune_datastore' Dominik Csapak
2021-07-16 8:53 ` Dominik Csapak [this message]
2021-07-16 8:53 ` [pbs-devel] [PATCH proxmox-backup 09/11] api: admin/datastore: add new 'prune-datastore' api call Dominik Csapak
2021-07-16 8:53 ` [pbs-devel] [PATCH proxmox-backup 10/11] ui: datastore/Content: add 'Prune All' button Dominik Csapak
2021-07-16 8:53 ` [pbs-devel] [PATCH proxmox-backup 11/11] ui: datastore/Prune: improve title of group prune window Dominik Csapak
2021-07-16 9:48 ` [pbs-devel] applied: [PATCH proxmox-backup 00/11] add 'prune all' button to datastore content Dietmar Maurer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210716085328.3731574-9-d.csapak@proxmox.com \
--to=d.csapak@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal