From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from gate001.proxmox.com (gate001.proxmox.com [IPv6:2a0f:8001:1:32::40]) by lore.proxmox.com (Postfix) with ESMTPS id E2EE21FF13E for ; Wed, 01 Jul 2026 16:04:59 +0200 (CEST) Received: from gate001.proxmox.com (localhost.localdomain [127.0.0.1]) by gate001.proxmox.com (Proxmox) with ESMTP id B2AC0213BC; Wed, 01 Jul 2026 16:04:59 +0200 (CEST) From: Christian Ebner To: pbs-devel@lists.proxmox.com Subject: [PATCH proxmox-backup v3 03/15] pbs-config: use proxmox-product-config::replace_secret_config() Date: Wed, 1 Jul 2026 16:04:00 +0200 Message-ID: <20260701140412.200920-4-c.ebner@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260701140412.200920-1-c.ebner@proxmox.com> References: <20260701140412.200920-1-c.ebner@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1782914660233 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.000 Adjusted score from AWL reputation of From: address DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment (newer systems) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: T2RTUDFSBIXAPV27EUCYFBWEPBLS7E64 X-Message-ID-Hash: T2RTUDFSBIXAPV27EUCYFBWEPBLS7E64 X-MailFrom: c.ebner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Instead of using the pbs-config local implementation, use the product general implementation, dropping the local one instead. Since proxmox-product-config::replace_secret_config() requires the api- and priv-user to be initialized, any calling codepath must guarantee to have run proxmox-product-config::init() once, so do that for proxmox-tape as well, while proxy, api and manager are already initializing it. Signed-off-by: Christian Ebner --- pbs-config/Cargo.toml | 1 + pbs-config/src/lib.rs | 17 ----------------- pbs-config/src/notifications.rs | 5 ++++- src/bin/proxmox-tape.rs | 8 ++++++++ src/tape/encryption_keys.rs | 3 ++- 5 files changed, 15 insertions(+), 19 deletions(-) diff --git a/pbs-config/Cargo.toml b/pbs-config/Cargo.toml index 04687cb59..d07b4de89 100644 --- a/pbs-config/Cargo.toml +++ b/pbs-config/Cargo.toml @@ -23,6 +23,7 @@ proxmox-http.workspace = true proxmox-lang.workspace = true proxmox-notify.workspace = true proxmox-router = { workspace = true, default-features = false } +proxmox-product-config.workspace = true proxmox-s3-client.workspace = true proxmox-schema.workspace = true proxmox-section-config.workspace = true diff --git a/pbs-config/src/lib.rs b/pbs-config/src/lib.rs index a194d70ac..1d32d23e2 100644 --- a/pbs-config/src/lib.rs +++ b/pbs-config/src/lib.rs @@ -139,23 +139,6 @@ pub fn replace_backup_config>(path: P, data: &[u8]) -> Ok(()) } -/// Atomically write data to file owned by "root:root" with permission "0600" -/// -/// Only the superuser can read and write those files. -pub fn replace_secret_config>(path: P, data: &[u8]) -> Result<(), Error> { - let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600); - // set the correct owner/group/permissions while saving file - // owner(rw) = root, group(r)= root - let options = proxmox_sys::fs::CreateOptions::new() - .perm(mode) - .owner(nix::unistd::ROOT) - .group(nix::unistd::Gid::from_raw(0)); - - proxmox_sys::fs::replace_file(path, data, options, true)?; - - Ok(()) -} - /// Detect modified configuration files /// /// This function fails with a reasonable error message if checksums do not match. diff --git a/pbs-config/src/notifications.rs b/pbs-config/src/notifications.rs index 3ee019f23..cbdbcee7a 100644 --- a/pbs-config/src/notifications.rs +++ b/pbs-config/src/notifications.rs @@ -35,7 +35,10 @@ pub fn config() -> Result { pub fn save_config(config: Config) -> Result<(), Error> { let (cfg, priv_cfg) = config.write()?; crate::replace_backup_config(NOTIFICATION_CONFIG_PATH, cfg.as_bytes())?; - crate::replace_secret_config(NOTIFICATION_PRIV_CONFIG_PATH, priv_cfg.as_bytes())?; + proxmox_product_config::replace_secret_config( + NOTIFICATION_PRIV_CONFIG_PATH, + priv_cfg.as_bytes(), + )?; Ok(()) } diff --git a/src/bin/proxmox-tape.rs b/src/bin/proxmox-tape.rs index 1d26b31e8..8e52bc5d0 100644 --- a/src/bin/proxmox-tape.rs +++ b/src/bin/proxmox-tape.rs @@ -1116,5 +1116,13 @@ fn main() { let mut rpcenv = CliEnvironment::new(); rpcenv.set_auth_id(Some(String::from("root@pam"))); + if let Err(err) = proxmox_lang::try_block!({ + proxmox_product_config::init(pbs_config::backup_user()?, pbs_config::priv_user()?); + Ok::<(), Error>(()) + }) { + eprintln!("Failed on product config init: {err}"); + std::process::exit(-1); + } + proxmox_async::runtime::main(run_async_cli_command(cmd_def, rpcenv)); } diff --git a/src/tape/encryption_keys.rs b/src/tape/encryption_keys.rs index 42e4931a5..1af7decaa 100644 --- a/src/tape/encryption_keys.rs +++ b/src/tape/encryption_keys.rs @@ -18,8 +18,9 @@ use serde::{Deserialize, Serialize}; use proxmox_sys::fs::file_read_optional_string; use pbs_api_types::Fingerprint; -use pbs_config::{open_backup_lockfile, replace_backup_config, replace_secret_config}; +use pbs_config::{open_backup_lockfile, replace_backup_config}; use pbs_key_config::KeyConfig; +use proxmox_product_config::replace_secret_config; mod hex_key { use hex::FromHex; -- 2.47.3