From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup] fix #3060:: improve get_owner error handling
Date: Tue, 10 Nov 2020 12:08:13 +0100 [thread overview]
Message-ID: <20201110110813.2060005-1-f.gruenbichler@proxmox.com> (raw)
log invalid owners to system log, and continue with next group just as
if permission checks fail for the following operations:
- verify store with limited permissions
- list store groups
- list store snapshots
all other call sites either handle it correctly already (sync/pull), or
operate on a single group/snapshot and can bubble up the error.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
src/api2/admin/datastore.rs | 16 ++++++++++++++--
src/backup/verify.rs | 7 ++++++-
2 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/src/api2/admin/datastore.rs b/src/api2/admin/datastore.rs
index b051e8dd..8256f02f 100644
--- a/src/api2/admin/datastore.rs
+++ b/src/api2/admin/datastore.rs
@@ -187,7 +187,13 @@ fn list_groups(
let group = info.backup_dir.group();
let list_all = (user_privs & PRIV_DATASTORE_AUDIT) != 0;
- let owner = datastore.get_owner(group)?;
+ let owner = match datastore.get_owner(group) {
+ Ok(auth_id) => auth_id,
+ Err(err) => {
+ println!("Failed to get owner of group '{}' - {}", group, err);
+ continue;
+ },
+ };
if !list_all && check_backup_owner(&owner, &auth_id).is_err() {
continue;
}
@@ -369,7 +375,13 @@ pub fn list_snapshots (
}
let list_all = (user_privs & PRIV_DATASTORE_AUDIT) != 0;
- let owner = datastore.get_owner(group)?;
+ let owner = match datastore.get_owner(group) {
+ Ok(auth_id) => auth_id,
+ Err(err) => {
+ println!("Failed to get owner of group '{}' - {}", group, err);
+ continue;
+ },
+ };
if !list_all && check_backup_owner(&owner, &auth_id).is_err() {
continue;
diff --git a/src/backup/verify.rs b/src/backup/verify.rs
index e0e28ee9..b5bb85fc 100644
--- a/src/backup/verify.rs
+++ b/src/backup/verify.rs
@@ -516,7 +516,12 @@ pub fn verify_all_backups(
&& !owner.is_token()
&& group_owner.user() == owner.user())
},
- Err(_) => false,
+ Err(err) => {
+ // intentionally not in task log
+ // the task user might not be allowed to see this group!
+ println!("Failed to get owner of group '{}' - {}", group, err);
+ false
+ },
}
} else {
true
--
2.20.1
next reply other threads:[~2020-11-10 11:08 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-10 11:08 Fabian Grünbichler [this message]
2020-11-10 12:18 ` [pbs-devel] applied: " Dietmar Maurer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201110110813.2060005-1-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox