public inbox for pbs-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: Gabriel Goller <g.goller@proxmox.com>
Cc: pbs-devel@lists.proxmox.com
Subject: Re: [pbs-devel] [PATCH proxmox-backup] proxy: check permissions on proxy.key and proxy.pem files
Date: Tue, 27 Aug 2024 11:37:09 +0200	[thread overview]
Message-ID: <l4sd4x65dhpjr55ivmnlbteddourfvv5raa5f4ibdlwgniinaa@ut4qn5pszi26> (raw)
In-Reply-To: <20240823091215.124453-1-g.goller@proxmox.com>

NAK

On Fri, Aug 23, 2024 at 11:12:15AM GMT, Gabriel Goller wrote:
> Check the owner and permission of the proxy.key and proxy.pem files.
> This avoids openssl's unhelpful error message and prints a nicer one.
> 
> Motivation: https://forum.proxmox.com/threads/proxmox-backup-tailscale-proxmox-backup-proxy-service-wont-boot.153204
> 
> Signed-off-by: Gabriel Goller <g.goller@proxmox.com>
> ---
> 
> Note: not sure about the correct permissions, we currently default to
> 640, but maybe a minimum of 400 is enough?
> 
>  src/bin/proxmox-backup-proxy.rs | 27 +++++++++++++++++++++++++++
>  1 file changed, 27 insertions(+)
> 
> diff --git a/src/bin/proxmox-backup-proxy.rs b/src/bin/proxmox-backup-proxy.rs
> index 041f3aff999c..544196b8bc5d 100644
> --- a/src/bin/proxmox-backup-proxy.rs
> +++ b/src/bin/proxmox-backup-proxy.rs
> @@ -367,6 +367,30 @@ async fn run() -> Result<(), Error> {
>      Ok(())
>  }
>  
> +/// Check permissions and owner of passed path.
> +fn check_permissions<T: AsRef<Path>>(path: T, file_mode: u32) -> Result<(), Error> {
> +    match nix::sys::stat::stat(path.as_ref()) {
> +        Ok(stat) => {
> +            if stat.st_uid != u32::from(pbs_config::backup_user()?.uid)
> +                || stat.st_gid != u32::from(pbs_config::backup_group()?.gid)
> +                || stat.st_mode & 0o770 < file_mode

If you want to test whether you can open a file, you should either just
`open(2)` it, or, if you really want to avoid it, use `access(2)`.
You do not ever want to attempt to try to perform the kernel's
permission checks yourself. There could be ACLs, AppArmor profiles, ...
and while we can say that, for now, this is not supposed to be the case,
it's bad practice in general.

Also note that this only covers the case at a point in time where the
certificate isn't actually loaded, and won't help with changes to the
permissions while a daemon is already running.

A better approach to handle this specific case would be to adapt
`proxmox-rest-server`'s handling of `Tls::PemFiles` so that instead of
using `openssl`'s ".set_private_key_file()` convenience methods, it
loads the files, and handles `EPERM`/`ENOENT`/... with useful error
messags, and then uses
`acceptor.set_private_key(PKey::private_key_from_pem(data)?)`


_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel


  reply	other threads:[~2024-08-27  9:37 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-08-23  9:12 Gabriel Goller
2024-08-27  9:37 ` Wolfgang Bumiller [this message]
2024-08-29 10:31   ` Gabriel Goller
2024-08-29 11:22     ` Wolfgang Bumiller
2024-08-29 12:10       ` Gabriel Goller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=l4sd4x65dhpjr55ivmnlbteddourfvv5raa5f4ibdlwgniinaa@ut4qn5pszi26 \
    --to=w.bumiller@proxmox.com \
    --cc=g.goller@proxmox.com \
    --cc=pbs-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal