From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from gate001.proxmox.com (gate001.proxmox.com [IPv6:2a0f:8001:1:32::40]) by lore.proxmox.com (Postfix) with ESMTPS id 236C21FF13E for ; Wed, 01 Jul 2026 16:04:38 +0200 (CEST) Received: from gate001.proxmox.com (localhost.localdomain [127.0.0.1]) by gate001.proxmox.com (Proxmox) with ESMTP id A233221440; Wed, 01 Jul 2026 16:04:36 +0200 (CEST) From: Christian Ebner To: pbs-devel@lists.proxmox.com Subject: [PATCH proxmox-backup v3 07/15] pbs-config: drop backup_group helper, use users gid instead Date: Wed, 1 Jul 2026 16:04:04 +0200 Message-ID: <20260701140412.200920-8-c.ebner@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260701140412.200920-1-c.ebner@proxmox.com> References: <20260701140412.200920-1-c.ebner@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1782914661367 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.042 Adjusted score from AWL reputation of From: address DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment (newer systems) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: SCDCE6TZC5T5J5DHPBZ3T4WSM4PQ6STU X-Message-ID-Hash: SCDCE6TZC5T5J5DHPBZ3T4WSM4PQ6STU X-MailFrom: c.ebner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Use the gid as reported for the backup user, which matches the `backup` group anyways. By this it is possible to use the user provided via proxmox-product-config::get_api_user() for chunk store operations instead, avoiding expensive user/group lookups. Signed-off-by: Christian Ebner --- pbs-config/src/lib.rs | 12 +----------- pbs-datastore/Cargo.toml | 1 + pbs-datastore/src/chunk_store.rs | 27 +++++++++++++-------------- src/bin/proxmox-backup-proxy.rs | 5 +++-- src/bin/sg-tape-cmd.rs | 5 +++-- 5 files changed, 21 insertions(+), 29 deletions(-) diff --git a/pbs-config/src/lib.rs b/pbs-config/src/lib.rs index 73a8a87fa..e2b74f8a8 100644 --- a/pbs-config/src/lib.rs +++ b/pbs-config/src/lib.rs @@ -2,7 +2,7 @@ use std::os::unix::prelude::AsRawFd; use anyhow::{Error, bail, format_err}; use hex::FromHex; -use nix::unistd::{Gid, Group, Uid, User}; +use nix::unistd::{Uid, User}; use proxmox_product_config::lockfile_create_options; use proxmox_sys::fs::DirLockGuard; @@ -44,16 +44,6 @@ pub fn backup_user() -> Result { } } -/// Return Group info for the 'backup' group (``getgrnam(3)``) -pub fn backup_group() -> Result { - if cfg!(test) { - Ok(Group::from_gid(Gid::current())?.expect("current group does not exist")) - } else { - Group::from_name(BACKUP_GROUP_NAME)? - .ok_or_else(|| format_err!("Unable to lookup '{}' group.", BACKUP_GROUP_NAME)) - } -} - /// Return User info for root pub fn priv_user() -> Result { if cfg!(test) { diff --git a/pbs-datastore/Cargo.toml b/pbs-datastore/Cargo.toml index 09991e530..b51438dc6 100644 --- a/pbs-datastore/Cargo.toml +++ b/pbs-datastore/Cargo.toml @@ -38,6 +38,7 @@ proxmox-http.workspace = true proxmox-human-byte.workspace = true proxmox-io.workspace = true proxmox-lang.workspace=true +proxmox-product-config.workspace = true proxmox-s3-client = { workspace = true, features = [ "impl" ] } proxmox-schema = { workspace = true, features = [ "api-macro" ] } proxmox-section-config.workspace = true diff --git a/pbs-datastore/src/chunk_store.rs b/pbs-datastore/src/chunk_store.rs index a936f5034..09a0242fc 100644 --- a/pbs-datastore/src/chunk_store.rs +++ b/pbs-datastore/src/chunk_store.rs @@ -756,12 +756,11 @@ impl ChunkStore { .parent() .ok_or_else(|| format_err!("unable to get chunk dir"))?; - let mut create_options = CreateOptions::new(); - if nix::unistd::Uid::effective().is_root() { - let uid = pbs_config::backup_user()?.uid; - let gid = pbs_config::backup_group()?.gid; - create_options = create_options.owner(uid).group(gid); - } + let create_options = if nix::unistd::Uid::effective().is_root() { + proxmox_product_config::default_create_options() + } else { + CreateOptions::new() + }; proxmox_sys::fs::replace_file( &chunk_path, raw_data, @@ -813,12 +812,11 @@ impl ChunkStore { /// Helper to generate new empty marker file fn create_marker_file(path: &Path) -> Result<(), Error> { - let mut create_options = CreateOptions::new(); - if nix::unistd::Uid::effective().is_root() { - let uid = pbs_config::backup_user()?.uid; - let gid = pbs_config::backup_group()?.gid; - create_options = create_options.owner(uid).group(gid); - } + let create_options = if nix::unistd::Uid::effective().is_root() { + proxmox_product_config::default_create_options() + } else { + CreateOptions::new() + }; proxmox_sys::fs::replace_file(path, &[], create_options, false) } @@ -904,8 +902,9 @@ impl ChunkStore { fn check_permissions>(path: T, file_mode: u32) -> Result<(), Error> { match nix::sys::stat::stat(path.as_ref()) { Ok(stat) => { - if stat.st_uid != u32::from(pbs_config::backup_user()?.uid) - || stat.st_gid != u32::from(pbs_config::backup_group()?.gid) + let backup_user = proxmox_product_config::get_api_user(); + if stat.st_uid != u32::from(backup_user.uid) + || stat.st_gid != u32::from(backup_user.gid) || stat.st_mode & 0o777 != file_mode { bail!( diff --git a/src/bin/proxmox-backup-proxy.rs b/src/bin/proxmox-backup-proxy.rs index b372f779e..37af76ade 100644 --- a/src/bin/proxmox-backup-proxy.rs +++ b/src/bin/proxmox-backup-proxy.rs @@ -60,8 +60,9 @@ fn main() -> Result<(), Error> { proxmox_backup::tools::setup_safe_path_env(); - let backup_uid = pbs_config::backup_user()?.uid; - let backup_gid = pbs_config::backup_group()?.gid; + let backup_user = pbs_config::backup_user()?; + let backup_uid = backup_user.uid; + let backup_gid = backup_user.gid; let running_uid = nix::unistd::Uid::effective(); let running_gid = nix::unistd::Gid::effective(); diff --git a/src/bin/sg-tape-cmd.rs b/src/bin/sg-tape-cmd.rs index 9ff73a4a4..7a365160b 100644 --- a/src/bin/sg-tape-cmd.rs +++ b/src/bin/sg-tape-cmd.rs @@ -129,8 +129,9 @@ fn main() -> Result<(), Error> { .init()?; // check if we are user root or backup - let backup_uid = pbs_config::backup_user()?.uid; - let backup_gid = pbs_config::backup_group()?.gid; + let backup_user = pbs_config::backup_user()?; + let backup_uid = backup_user.uid; + let backup_gid = backup_user.gid; let running_uid = nix::unistd::Uid::current(); let running_gid = nix::unistd::Gid::current(); -- 2.47.3