From: "Max Carrara" <m.carrara@proxmox.com>
To: "Thomas Lamprecht" <t.lamprecht@proxmox.com>,
"Proxmox VE development discussion" <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH v1 pve-common 09/18] pbsclient: create secret dir with `mkdir -p` and mode `700`
Date: Thu, 21 Nov 2024 17:09:19 +0100 [thread overview]
Message-ID: <D5RZJWMU80YM.1WF4PHKFM9BUZ@proxmox.com> (raw)
In-Reply-To: <aa54f5fe-6fd1-4d56-8922-e6f6022419e6@proxmox.com>
On Mon Nov 11, 2024 at 8:16 PM CET, Thomas Lamprecht wrote:
> Am 02.08.24 um 15:26 schrieb Max Carrara:
> > .. instead of using a regular `mkdir` call.
> >
> > The `File::Path::make_path` subroutine is used for this purpose, which
> > recursively creates all directories if they didn't exist before. Upon
> > creation of those directories, the mode is also set to `700`.
> >
> > This means that (like before), directory permissions are left
> > untouched if the directory existed already.
>
> this is already enforced by pmxcfs for our case though?
Even though pmxcfs enforces this, the library may still be used in a
context outside of pmxcfs. For example, I could write a simple script
with `use PVE::PBSClient;` for my own backup management purposes and use
a separate directory to store secrets.
This is obviously theoretical, *but* because the possibility exists that
*someone* out there might use the library that way, I decided to be a
bit more defensive here.
To give a more elaborate example, let's say I have a regular user
account on a PVE host and I use this library to do ... some stuff
regarding backups of my VMs the admin allows me to run on that host.
Because I don't have permissions to access `/etc/pve/priv/storage` (I
don't have rights to `root`) I set the secret dir to something like
"$HOME/.config/pve/priv/storage" or whatever.
Because the admin forgot to configure `/etc/skel`, the permissions of my
home directory are 0755 -- and because I forgot to change them myself,
my home directory is accessible to other users.
If we didn't set the secret dir to 0700 here, other users could access
my credentials.
>
> And not sure about making the whole base path 0700, might be better
> to create only the last directory as such? but this is generally something
> where IMO lots can go wrong with little benefit, so not so sure about
> this one.
Setting just the last dir 0700 seems better actually, I agree.
I'm still in favour to be a little restrictive here. Perhaps I'm a
little overly cautious; I'm not sure if anyone would ever find
themselves in the scenario I described above. Usually I don't want to
implement things upfront because they're merely "possible" or because
there's some magical, potential case it will be used either (YAGNI etc.)
but in this case it does have obvious implications regarding security
IMO.
As an alternative, we could also just not allow specifying a custom
secret dir and hardcode it to `/etc/pve/storage/priv`, then all of the
above isn't possible in the first place and doesn't need to be dealt
with.
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2024-11-21 16:09 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-02 13:26 [pve-devel] [PATCH v1 pve-common 00/18] Introduction of libproxmox-backup-client-perl Max Carrara
2024-08-02 13:26 ` [pve-devel] [PATCH v1 pve-common 01/18] pbsclient: rename 'sdir' parameter of constructor to 'secret_dir' Max Carrara
2024-11-11 19:08 ` [pve-devel] applied: " Thomas Lamprecht
2024-08-02 13:26 ` [pve-devel] [PATCH v1 pve-common 02/18] pbsclient: use parentheses when calling most inbuilts Max Carrara
2024-11-11 19:08 ` [pve-devel] applied: " Thomas Lamprecht
2024-08-02 13:26 ` [pve-devel] [PATCH v1 pve-common 03/18] pbsclient: use post-if definedness checks instead of '//=' operator Max Carrara
2024-11-11 19:09 ` [pve-devel] applied: " Thomas Lamprecht
2024-08-02 13:26 ` [pve-devel] [PATCH v1 pve-common 04/18] pbsclient: pull variable out of long post-if definedness check Max Carrara
2024-11-11 19:09 ` [pve-devel] applied: " Thomas Lamprecht
2024-08-02 13:26 ` [pve-devel] [PATCH v1 pve-common 05/18] pbsclient: use cond. statements instead of chained 'or' operators Max Carrara
2024-11-11 19:10 ` Thomas Lamprecht
2024-08-02 13:26 ` [pve-devel] [PATCH v1 pve-common 06/18] pbsclient: use spaces around list braces and parens around ternaries Max Carrara
2024-11-11 19:11 ` [pve-devel] applied: " Thomas Lamprecht
2024-08-02 13:26 ` [pve-devel] [PATCH v1 pve-common 07/18] pbsclient: s/foreach/for Max Carrara
2024-11-11 19:11 ` [pve-devel] applied: " Thomas Lamprecht
2024-08-02 13:26 ` [pve-devel] [PATCH v1 pve-common 08/18] pbsclient: document package and its public functions & methods Max Carrara
2024-11-11 19:14 ` Thomas Lamprecht
2024-11-21 15:54 ` Max Carrara
2024-08-02 13:26 ` [pve-devel] [PATCH v1 pve-common 09/18] pbsclient: create secret dir with `mkdir -p` and mode `700` Max Carrara
2024-11-11 19:16 ` Thomas Lamprecht
2024-11-21 16:09 ` Max Carrara [this message]
2024-08-02 13:26 ` [pve-devel] [PATCH v1 pve-common 10/18] pbsclient: use `File::Spec->catfile` to concatenate file paths Max Carrara
2024-11-11 19:16 ` Thomas Lamprecht
2024-11-21 16:17 ` Max Carrara
2024-11-22 12:46 ` Thomas Lamprecht
2024-08-02 13:26 ` [pve-devel] [PATCH v1 pve-common 11/18] pbsclient: let `status` method return a hash instead of an array Max Carrara
2024-11-11 19:17 ` Thomas Lamprecht
2024-11-21 16:29 ` Max Carrara
2024-08-02 13:26 ` [pve-devel] [PATCH v1 pve-common 12/18] pbsclient: throw exception if username of client has no realm Max Carrara
2024-08-02 13:26 ` [pve-devel] [PATCH v1 pve-common 13/18] pbsclient: make method `password_file_name` public Max Carrara
2024-08-02 13:26 ` [pve-devel] [PATCH v1 pve-common 14/18] pbsclient: prohibit implicit return Max Carrara
2024-08-02 13:26 ` [pve-devel] [PATCH v1 pve-common 15/18] pbsclient: don't return anything in PXAR methods Max Carrara
2024-08-02 13:26 ` [pve-devel] [PATCH v1 pve-common 16/18] pbsclient: don't return anything in `forget_snapshot` Max Carrara
2024-08-02 13:26 ` [pve-devel] [PATCH v1 pve-common 17/18] make: support building multiple packages from the same source Max Carrara
2024-08-02 13:26 ` [pve-devel] [PATCH v1 pve-common 18/18] deb: split PBSClient.pm into new package libproxmox-backup-client-perl Max Carrara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D5RZJWMU80YM.1WF4PHKFM9BUZ@proxmox.com \
--to=m.carrara@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=t.lamprecht@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox