Re: [pbs-devel] [PATCH v2] rest-server: check permissions on proxy.key and proxy.pem files

From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: Gabriel Goller <g.goller@proxmox.com>
Cc: pbs-devel@lists.proxmox.com
Subject: Re: [pbs-devel] [PATCH v2] rest-server: check permissions on proxy.key and proxy.pem files
Date: Thu, 29 Aug 2024 14:21:56 +0200	[thread overview]
Message-ID: <2ar5pj3cgxwqlyne4p5jfomwu6df3nxsskzul7ew3hcr676rtg@7dklhsjwdam4> (raw)
In-Reply-To: <20240829121047.243804-1-g.goller@proxmox.com>

On Thu, Aug 29, 2024 at 02:10:47PM GMT, Gabriel Goller wrote:
> To avoid openssl's unhelpful error messages when the proxy.key or
> proxy.pem files have the wrong permissions, we open the files. To load
> the private key, we can simply read from the file and pass it to the
> `set_private_key` openssl function. Sadly such a function does not exist
> for loading certificate chains, so we have to open and close the file
> before calling the `set_certificate_chain_file` fn.
> 
> Motivation: https://forum.proxmox.com/threads/proxmox-backup-tailscale-proxmox-backup-proxy-service-wont-boot.153204
> 
> Signed-off-by: Gabriel Goller <g.goller@proxmox.com>
> ---
> 
> v2, thanks @Wolfgang:
>  - move check from proxmox-backup-server to proxmox-rest-server
>  - check permissions by opening files
> 
>  proxmox-rest-server/src/connection.rs | 16 +++++++++++++---
>  1 file changed, 13 insertions(+), 3 deletions(-)
> 
> diff --git a/proxmox-rest-server/src/connection.rs b/proxmox-rest-server/src/connection.rs
> index fbdfe96cdfdb..f985d25f7e63 100644
> --- a/proxmox-rest-server/src/connection.rs
> +++ b/proxmox-rest-server/src/connection.rs
> @@ -12,19 +12,21 @@ use std::pin::{pin, Pin};
>  use std::sync::{Arc, Mutex};
>  use std::time::Duration;
>  
> -use anyhow::{format_err, Context as _, Error};
> +use anyhow::{format_err, Context, Error};
>  use futures::FutureExt;
>  use hyper::server::accept;
>  use openssl::ec::{EcGroup, EcKey};
>  use openssl::nid::Nid;
>  use openssl::pkey::{PKey, Private};
> -use openssl::ssl::{SslAcceptor, SslFiletype, SslMethod};
> +use openssl::ssl::{SslAcceptor, SslMethod};
>  use openssl::x509::X509;
>  use tokio::net::{TcpListener, TcpStream};
>  use tokio::sync::mpsc;
>  use tokio_openssl::SslStream;
>  use tokio_stream::wrappers::ReceiverStream;
>  
> +use proxmox_sys::fs::file_read_string;
> +
>  #[cfg(feature = "rate-limited-stream")]
>  use proxmox_http::{RateLimitedStream, ShareableRateLimit};
>  
> @@ -88,9 +90,17 @@ impl TlsAcceptorBuilder {
>                      .context("failed to set tls acceptor certificate")?;
>              }
>              Some(Tls::FilesPem(key, cert)) => {
> +                let key_content =
> +                    file_read_string(key).context("Failed to read from private key file")?;

Why not `std::fs::read()`? openssl expects bytes below, the utf-8 check
is unnecessary.
(just include the path via `.with_context(|| format!(...))`)

>                  acceptor
> -                    .set_private_key_file(key, SslFiletype::PEM)
> +                    .set_private_key(PKey::private_key_from_pem(key_content.as_bytes())?.as_ref())
>                      .context("failed to set tls acceptor private key file")?;
> +
> +                {
> +                    // Check the permissions by opening the file
> +                    let _cert_fd = std::fs::File::open(&cert)
> +                        .context(format!("Failed to open certificate at {:?}", cert))?;

use `.with_context` to avoid formatting the string when no error
happens.

> +                }
>                  acceptor
>                      .set_certificate_chain_file(cert)
>                      .context("failed to set tls acceptor certificate chain file")?;
> -- 
> 2.39.2

_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel