From: Gabriel Goller <g.goller@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup] proxy: check permissions on proxy.key and proxy.pem files
Date: Fri, 23 Aug 2024 11:12:15 +0200 [thread overview]
Message-ID: <20240823091215.124453-1-g.goller@proxmox.com> (raw)
Check the owner and permission of the proxy.key and proxy.pem files.
This avoids openssl's unhelpful error message and prints a nicer one.
Motivation: https://forum.proxmox.com/threads/proxmox-backup-tailscale-proxmox-backup-proxy-service-wont-boot.153204
Signed-off-by: Gabriel Goller <g.goller@proxmox.com>
---
Note: not sure about the correct permissions, we currently default to
640, but maybe a minimum of 400 is enough?
src/bin/proxmox-backup-proxy.rs | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/src/bin/proxmox-backup-proxy.rs b/src/bin/proxmox-backup-proxy.rs
index 041f3aff999c..544196b8bc5d 100644
--- a/src/bin/proxmox-backup-proxy.rs
+++ b/src/bin/proxmox-backup-proxy.rs
@@ -367,6 +367,30 @@ async fn run() -> Result<(), Error> {
Ok(())
}
+/// Check permissions and owner of passed path.
+fn check_permissions<T: AsRef<Path>>(path: T, file_mode: u32) -> Result<(), Error> {
+ match nix::sys::stat::stat(path.as_ref()) {
+ Ok(stat) => {
+ if stat.st_uid != u32::from(pbs_config::backup_user()?.uid)
+ || stat.st_gid != u32::from(pbs_config::backup_group()?.gid)
+ || stat.st_mode & 0o770 < file_mode
+ {
+ bail!(
+ "file {:?} has wrong permissions - check if it's owned by {}:{} and has {} permissions",
+ path.as_ref(),
+ pbs_config::backup_user()?.uid,
+ pbs_config::backup_group()?.gid,
+ file_mode
+ );
+ }
+ }
+ Err(err) => {
+ bail!("unable to open file {:?} - {err}", path.as_ref(),);
+ }
+ }
+ Ok(())
+}
+
fn make_tls_acceptor() -> Result<SslAcceptor, Error> {
let key_path = configdir!("/proxy.key");
let cert_path = configdir!("/proxy.pem");
@@ -375,6 +399,9 @@ fn make_tls_acceptor() -> Result<SslAcceptor, Error> {
let ciphers_tls_1_3 = config.ciphers_tls_1_3;
let ciphers_tls_1_2 = config.ciphers_tls_1_2;
+ check_permissions(key_path, 0o640)?;
+ check_permissions(cert_path, 0o640)?;
+
let mut acceptor = proxmox_rest_server::connection::TlsAcceptorBuilder::new()
.certificate_paths_pem(key_path, cert_path);
--
2.39.2
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next reply other threads:[~2024-08-23 9:11 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-23 9:12 Gabriel Goller [this message]
2024-08-27 9:37 ` Wolfgang Bumiller
2024-08-29 10:31 ` Gabriel Goller
2024-08-29 11:22 ` Wolfgang Bumiller
2024-08-29 12:10 ` Gabriel Goller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240823091215.124453-1-g.goller@proxmox.com \
--to=g.goller@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.