From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 94EC61FF163 for ; Thu, 12 Sep 2024 16:34:31 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 9A2A434844; Thu, 12 Sep 2024 16:34:30 +0200 (CEST) From: Christian Ebner To: pbs-devel@lists.proxmox.com Date: Thu, 12 Sep 2024 16:33:09 +0200 Message-Id: <20240912143322.548839-21-c.ebner@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240912143322.548839-1-c.ebner@proxmox.com> References: <20240912143322.548839-1-c.ebner@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.022 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [PATCH v3 proxmox-backup 20/33] api: sync: add permission checks for push sync jobs X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" For sync jobs in push direction, also permissions to modify and prune the snapshots on the remote datastore are required, in contrast to the pull sync job. Add additional permissions to be checked on the local instance before attempting operating on the remote. Signed-off-by: Christian Ebner --- changes since version 2: - not present in previous version src/api2/admin/sync.rs | 18 +++++++++++++++--- src/api2/config/sync.rs | 33 ++++++++++++++++++++++++++++++++- 2 files changed, 47 insertions(+), 4 deletions(-) diff --git a/src/api2/admin/sync.rs b/src/api2/admin/sync.rs index bdbc06a8e..0fad10d0c 100644 --- a/src/api2/admin/sync.rs +++ b/src/api2/admin/sync.rs @@ -18,7 +18,10 @@ use pbs_config::sync; use pbs_config::CachedUserInfo; use crate::{ - api2::config::sync::{check_sync_job_modify_access, check_sync_job_read_access}, + api2::config::sync::{ + check_sync_job_modify_access, check_sync_job_read_access, + check_sync_job_remote_datastore_backup_access, + }, server::jobstate::{compute_schedule_status, Job, JobState}, server::sync::do_sync_job, }; @@ -121,8 +124,17 @@ pub fn run_sync_job( let sync_direction = sync_direction.unwrap_or_default(); let sync_job: SyncJobConfig = config.lookup(sync_direction.as_config_type_str(), &id)?; - if !check_sync_job_modify_access(&user_info, &auth_id, &sync_job) { - bail!("permission check failed"); + match sync_direction { + SyncDirection::Pull => { + if !check_sync_job_modify_access(&user_info, &auth_id, &sync_job) { + bail!("permission check failed, '{auth_id}' is missing access on datastore"); + } + } + SyncDirection::Push => { + if !check_sync_job_remote_datastore_backup_access(&user_info, &auth_id, &sync_job) { + bail!("permission check failed, '{auth_id}' is missing access on remote"); + } + } } let job = Job::new("syncjob", &id)?; diff --git a/src/api2/config/sync.rs b/src/api2/config/sync.rs index a21e0bd6f..5035df8c9 100644 --- a/src/api2/config/sync.rs +++ b/src/api2/config/sync.rs @@ -10,7 +10,8 @@ use proxmox_schema::{api, param_bail}; use pbs_api_types::{ Authid, SyncJobConfig, SyncJobConfigUpdater, JOB_ID_SCHEMA, PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_MODIFY, PRIV_DATASTORE_PRUNE, PRIV_REMOTE_AUDIT, - PRIV_REMOTE_READ, PROXMOX_CONFIG_DIGEST_SCHEMA, SYNC_DIRECTION_SCHEMA, + PRIV_REMOTE_DATASTORE_BACKUP, PRIV_REMOTE_DATASTORE_PRUNE, PRIV_REMOTE_READ, + PROXMOX_CONFIG_DIGEST_SCHEMA, SYNC_DIRECTION_SCHEMA, }; use pbs_config::sync; @@ -76,6 +77,36 @@ pub fn check_sync_job_modify_access( true } +/// Check user privileges required to push contents to a remote datastore. +pub fn check_sync_job_remote_datastore_backup_access( + user_info: &CachedUserInfo, + auth_id: &Authid, + job: &SyncJobConfig, +) -> bool { + if let Some(remote) = &job.remote { + let mut acl_path = vec!["remote", remote, &job.remote_store]; + + if let Some(namespace) = job.remote_ns.as_ref() { + if namespace.is_root() { + let ns_components: Vec<&str> = namespace.components().collect(); + acl_path.extend(ns_components); + } + } + + let remote_privs = user_info.lookup_privs(auth_id, &acl_path); + + if let Some(true) = job.remove_vanished { + if remote_privs & PRIV_REMOTE_DATASTORE_PRUNE == 0 { + return false; + } + } + + return remote_privs & PRIV_REMOTE_DATASTORE_BACKUP != 0; + } + + false +} + #[api( input: { properties: { -- 2.39.2 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel