From: Shannon Sterz <s.sterz@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH cluster v4 1/2] pmxcfs: remove world-readable permissions from backups
Date: Wed, 18 Mar 2026 12:11:10 +0100 [thread overview]
Message-ID: <20260318111111.114933-2-s.sterz@proxmox.com> (raw)
In-Reply-To: <20260318111111.114933-1-s.sterz@proxmox.com>
this could lead to information disclosure of data that is private
within pmxcfs. currently the impact is low as a backup is only
triggered before joining a new cluster. however, if we trigger more
backups going forward, this could leak sensitive information.
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
the version in the postinst hook should probably be adapted when
pve-cluster is bumped.
debian/pve-cluster.dirs | 1 +
debian/pve-cluster.postinst | 8 ++++++++
src/PVE/Cluster.pm | 5 +++--
3 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/debian/pve-cluster.dirs b/debian/pve-cluster.dirs
index a07aa4e..df4a258 100644
--- a/debian/pve-cluster.dirs
+++ b/debian/pve-cluster.dirs
@@ -1,2 +1,3 @@
/usr/bin
/var/lib/pve-cluster
+/var/lib/pve-cluster/backup
diff --git a/debian/pve-cluster.postinst b/debian/pve-cluster.postinst
index 34bf0e1..048199e 100644
--- a/debian/pve-cluster.postinst
+++ b/debian/pve-cluster.postinst
@@ -11,12 +11,20 @@ remove_fabrics_directory() {
fi
}
+update_permissions() {
+ chmod 0600 /var/lib/pve-cluster/backup;
+}
+
case "$1" in
configure)
# TODO: remove with PVE 10+
if dpkg --compare-versions "$2" 'lt' '9.0.1'; then
remove_fabrics_directory
fi
+
+ if dpkg --compare-versions "$2" 'lt' '9.1.1'; then
+ update_permissions
+ fi
;;
esac
diff --git a/src/PVE/Cluster.pm b/src/PVE/Cluster.pm
index bdb465f..e96a7fe 100644
--- a/src/PVE/Cluster.pm
+++ b/src/PVE/Cluster.pm
@@ -9,7 +9,7 @@ use File::Path qw(make_path);
use JSON;
use List::Util;
use Net::SSLeay;
-use POSIX qw(ENOENT);
+use POSIX qw(ENOENT EEXIST);
use Socket;
use Storable qw(dclone);
use Time::HiRes qw(usleep);
@@ -892,7 +892,8 @@ sub complete_migration_target {
# NOTE: filesystem must be offline here, no DB changes allowed
sub cfs_backup_database {
- mkdir $dbbackupdir;
+ mkdir $dbbackupdir or $!{EEXIST} or die "failed to create backup dir - $!\n";
+ chmod 0600, $dbbackupdir or die "failed to change mode for backup dir - $!\n";
my $ctime = time();
my $backup_fn = "$dbbackupdir/config-$ctime.sql.gz";
--
2.47.3
next prev parent reply other threads:[~2026-03-18 11:11 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-18 11:11 [PATCH cluster v4 0/2] pmxcfs fix backup directory permissions Shannon Sterz
2026-03-18 11:11 ` Shannon Sterz [this message]
2026-03-18 11:11 ` [PATCH cluster v4 2/2] pmxcfs: don't abort join when backup fails and keep old config database Shannon Sterz
2026-03-18 14:27 ` applied: [PATCH cluster v4 0/2] pmxcfs fix backup directory permissions Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260318111111.114933-2-s.sterz@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.