From: Stefan Sterz <s.sterz@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup 2/2] fix #3853: tape cli: add force flag to key change-passphrase
Date: Mon, 7 Feb 2022 13:48:25 +0100 [thread overview]
Message-ID: <20220207124825.1116194-2-s.sterz@proxmox.com> (raw)
In-Reply-To: <20220207124825.1116194-1-s.sterz@proxmox.com>
Adds the '--force' flag to the proxmox-tape command allowing users
with root privileges to overwrite the passphrase of a given key.
Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
---
src/bin/proxmox_tape/encryption_key.rs | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/src/bin/proxmox_tape/encryption_key.rs b/src/bin/proxmox_tape/encryption_key.rs
index 156295fd..3dd9b58b 100644
--- a/src/bin/proxmox_tape/encryption_key.rs
+++ b/src/bin/proxmox_tape/encryption_key.rs
@@ -146,11 +146,18 @@ fn show_key(
hint: {
schema: PASSWORD_HINT_SCHEMA,
},
+ force: {
+ optional: true,
+ type: bool,
+ description: "Don't ask for the old passphrase and overwrite it. Root only.",
+ default: false,
+ },
},
},
)]
/// Change the encryption key's password.
fn change_passphrase(
+ force: bool,
mut param: Value,
rpcenv: &mut dyn RpcEnvironment,
) -> Result<(), Error> {
@@ -159,11 +166,23 @@ fn change_passphrase(
bail!("unable to change passphrase - no tty");
}
- let password = tty::read_password("Current Tape Encryption Key Password: ")?;
+ let effective_uid = nix::unistd::Uid::effective();
+ let running_uid = nix::unistd::Uid::current();
+
+ // if the `--force` flag is provided check if we are root
+ if force && !effective_uid.is_root() && !running_uid.is_root() {
+ bail!("the force flag requires root privileges");
+ }
+
+ if force {
+ param["force"] = serde_json::Value::Bool(true);
+ } else {
+ let password = tty::read_password("Current Tape Encryption Key Password: ")?;
+ param["password"] = String::from_utf8(password)?.into();
+ }
let new_password = tty::read_and_verify_password("New Tape Encryption Key Password: ")?;
- param["password"] = String::from_utf8(password)?.into();
param["new-password"] = String::from_utf8(new_password)?.into();
let info = &api2::config::tape_encryption_keys::API_METHOD_CHANGE_PASSPHRASE;
--
2.30.2
next prev parent reply other threads:[~2022-02-07 12:56 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-07 12:48 [pbs-devel] [PATCH proxmox-backup 1/2] fix #3853: api: add force option to tape " Stefan Sterz
2022-02-07 12:48 ` Stefan Sterz [this message]
2022-02-09 13:56 ` [pbs-devel] [PATCH proxmox-backup 2/2] fix #3853: tape cli: add force flag to " Wolfgang Bumiller
2022-02-07 14:58 ` [pbs-devel] [PATCH proxmox-backup 1/2] fix #3853: api: add force option to tape " Thomas Lamprecht
2022-02-07 16:14 ` Stefan Sterz
2022-02-08 15:26 ` Dominik Csapak
2022-02-08 15:30 ` Stefan Sterz
2022-02-09 15:54 ` Thomas Lamprecht
2022-02-09 13:52 ` Wolfgang Bumiller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220207124825.1116194-2-s.sterz@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.