[pbs-devel] [PATCH v2] rest-server: check permissions on proxy.key and proxy.pem files

Gabriel Goller g.goller at proxmox.com
Thu Aug 29 15:07:12 CEST 2024


On 29.08.2024 14:21, Wolfgang Bumiller wrote:
>On Thu, Aug 29, 2024 at 02:10:47PM GMT, Gabriel Goller wrote:
>> [skip]
>> @@ -88,9 +90,17 @@ impl TlsAcceptorBuilder {
>>                      .context("failed to set tls acceptor certificate")?;
>>              }
>>              Some(Tls::FilesPem(key, cert)) => {
>> +                let key_content =
>> +                    file_read_string(key).context("Failed to read from private key file")?;
>
>Why not `std::fs::read()`? openssl expects bytes below, the utf-8 check
>is unnecessary.
>(just include the path via `.with_context(|| format!(...))`)

Good point!

>>                  acceptor
>> -                    .set_private_key_file(key, SslFiletype::PEM)
>> +                    .set_private_key(PKey::private_key_from_pem(key_content.as_bytes())?.as_ref())
>>                      .context("failed to set tls acceptor private key file")?;
>> +
>> +                {
>> +                    // Check the permissions by opening the file
>> +                    let _cert_fd = std::fs::File::open(&cert)
>> +                        .context(format!("Failed to open certificate at {:?}", cert))?;
>
>use `.with_context` to avoid formatting the string when no error
>happens.

Done as well, thanks for the review!
Submitted a v3.




More information about the pbs-devel mailing list