From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <d.csapak@proxmox.com> Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with UTF8SMTPS id E42CB6BE06 for <pbs-devel@lists.proxmox.com>; Thu, 28 Jan 2021 09:05:25 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with UTF8SMTP id D90622AE2F for <pbs-devel@lists.proxmox.com>; Thu, 28 Jan 2021 09:05:25 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with UTF8SMTPS id 7135A2AE21 for <pbs-devel@lists.proxmox.com>; Thu, 28 Jan 2021 09:05:25 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with UTF8SMTP id 4191046139; Thu, 28 Jan 2021 09:05:25 +0100 (CET) To: Dietmar Maurer <dietmar@proxmox.com>, Proxmox Backup Server development discussion <pbs-devel@lists.proxmox.com> References: <20210127103401.32535-1-d.csapak@proxmox.com> <20210127103401.32535-5-d.csapak@proxmox.com> <333263143.1171.1611769667899@webmail.proxmox.com> From: Dominik Csapak <d.csapak@proxmox.com> Message-ID: <33b303f2-883b-21e2-577d-6e2acf337af4@proxmox.com> Date: Thu, 28 Jan 2021 09:05:24 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:85.0) Gecko/20100101 Thunderbird/85.0 MIME-Version: 1.0 In-Reply-To: <333263143.1171.1611769667899@webmail.proxmox.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.251 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -0.001 Looks like a legit reply (A) RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pbs-devel] [PATCH proxmox-backup 04/15] api2/tape: add missing protected to some api calls X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion <pbs-devel.lists.proxmox.com> List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe> List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/> List-Post: <mailto:pbs-devel@lists.proxmox.com> List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help> List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe> X-List-Received-Date: Thu, 28 Jan 2021 08:05:26 -0000 On 1/27/21 6:47 PM, Dietmar Maurer wrote: > >> On 01/27/2021 11:33 AM Dominik Csapak <d.csapak@proxmox.com> wrote: >> >> >> they need root permission either to access the changer/drive or to >> modify the config > > This looks wrong to me. Most thing can/need to be done as user 'backup', especially the 'backup' API. Running backup as root user is wrong. > ok for some things you're right, i had weird permissions on /var/lib/proxmox-backup/tape (for some reason it had no execute bit set..) but if i omit the protected option, i can barely do anything media/drive/changer listing works, but a backup fails with: 2021-01-28T09:03:17+01:00: update media online status 2021-01-28T09:03:17+01:00: TASK ERROR: Permission denied (os error 13) i did not find out yet where the problem is, but i'm on it