From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 2255C6095E for ; Fri, 9 Oct 2020 11:21:41 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 161EA154D2 for ; Fri, 9 Oct 2020 11:21:11 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 99464154BB for ; Fri, 9 Oct 2020 11:21:07 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 5F58145C9C for ; Fri, 9 Oct 2020 11:21:07 +0200 (CEST) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= To: pbs-devel@lists.proxmox.com Date: Fri, 9 Oct 2020 11:21:01 +0200 Message-Id: <20201009092102.1959849-1-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.034 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [reader.rs, environment.rs] Subject: [pbs-devel] [PATCH proxmox-backup 1/2] reader: track index chunks and limit access X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Oct 2020 09:21:41 -0000 a reader connection should not be allowed to read arbitrary chunks in the datastore, but only those that were previously registered by opening the corresponding index files. this mechanism is needed to allow unprivileged users (that don't have full READ permissions on the whole datastore) access to their own backups via a reader environment. Signed-off-by: Fabian Grünbichler --- Notes: sync uses a separate reader per snapshot that gets pulled, so this works there as well. src/api2/reader.rs | 26 ++++++++++++++++++++++++++ src/api2/reader/environment.rs | 17 +++++++++++++---- 2 files changed, 39 insertions(+), 4 deletions(-) diff --git a/src/api2/reader.rs b/src/api2/reader.rs index 0dd45940..5bdd81b7 100644 --- a/src/api2/reader.rs +++ b/src/api2/reader.rs @@ -194,6 +194,27 @@ fn download_file( path.push(&file_name); env.log(format!("download {:?}", path.clone())); + + let index: Option> = match archive_type(&file_name)? { + ArchiveType::FixedIndex => { + let index = env.datastore.open_fixed_reader(&path)?; + Some(Box::new(index)) + } + ArchiveType::DynamicIndex => { + let index = env.datastore.open_dynamic_reader(&path)?; + Some(Box::new(index)) + } + _ => { None } + }; + + if let Some(index) = index { + env.log(format!("register chunks in '{}' as downloadable.", file_name)); + + for pos in 0..index.index_count() { + let info = index.chunk_info(pos).unwrap(); + env.register_chunk(info.digest); + } + } helpers::create_download_response(path).await }.boxed() @@ -224,6 +245,11 @@ fn download_chunk( let digest_str = tools::required_string_param(¶m, "digest")?; let digest = proxmox::tools::hex_to_digest(digest_str)?; + if !env.check_chunk_access(digest) { + env.log(format!("attempted to download chunk {} which is not in registered chunk list", digest_str)); + return Err(http_err!(UNAUTHORIZED, "download chunk {} not allowed", digest_str)); + } + let (path, _) = env.datastore.chunk_path(&digest); let path2 = path.clone(); diff --git a/src/api2/reader/environment.rs b/src/api2/reader/environment.rs index 87bd5747..4c7db36f 100644 --- a/src/api2/reader/environment.rs +++ b/src/api2/reader/environment.rs @@ -1,5 +1,5 @@ -//use anyhow::{bail, format_err, Error}; -use std::sync::Arc; +use std::sync::{Arc,RwLock}; +use std::collections::HashSet; use serde_json::{json, Value}; @@ -23,7 +23,7 @@ pub struct ReaderEnvironment { pub worker: Arc, pub datastore: Arc, pub backup_dir: BackupDir, - // state: Arc> + allowed_chunks: Arc>>, } impl ReaderEnvironment { @@ -45,7 +45,7 @@ impl ReaderEnvironment { debug: false, formatter: &JSON_FORMATTER, backup_dir, - //state: Arc::new(Mutex::new(state)), + allowed_chunks: Arc::new(RwLock::new(HashSet::new())), } } @@ -57,6 +57,15 @@ impl ReaderEnvironment { if self.debug { self.worker.log(msg); } } + + pub fn register_chunk(&self, digest: [u8;32]) { + let mut allowed_chunks = self.allowed_chunks.write().unwrap(); + allowed_chunks.insert(digest); + } + + pub fn check_chunk_access(&self, digest: [u8;32]) -> bool { + self.allowed_chunks.read().unwrap().contains(&digest) + } } impl RpcEnvironment for ReaderEnvironment { -- 2.20.1