[pbs-devel] [PATCH proxmox-backup 15/22] file-restore-daemon: add binary with virtio-vsock API server

Dietmar Maurer dietmar at proxmox.com
Wed Feb 17 12:26:37 CET 2021


> diff --git a/src/bin/proxmox_restore_daemon/api.rs b/src/bin/proxmox_restore_daemon/api.rs
> new file mode 100644
> index 00000000..3c642aaf
> --- /dev/null
> +++ b/src/bin/proxmox_restore_daemon/api.rs
> @@ -0,0 +1,45 @@
> +///! File-restore API running inside the restore VM
> +use anyhow::Error;
> +use serde_json::Value;
> +use std::fs;
> +
> +use proxmox::api::{api, ApiMethod, Permission, Router, RpcEnvironment, SubdirMap};
> +use proxmox::list_subdirs_api_method;
> +
> +use proxmox_backup::api2::types::*;
> +
> +// NOTE: All API endpoints must have Permission::World, as the configs for authentication do not
> +// exist within the restore VM. Safety is guaranteed since we use a low port, so only root on the
> +// host can contact us - and there the proxmox-backup-client validates permissions already.

AFAIK, this assumption is wrong. Anyone can connect to a low port! 
Only bind() is restricted to root.

Also, we want to connect as user "backup"?





More information about the pbs-devel mailing list