[pbs-devel] [PATCH v2] rest-server: check permissions on proxy.key and proxy.pem files
Gabriel Goller
g.goller at proxmox.com
Thu Aug 29 15:07:12 CEST 2024
On 29.08.2024 14:21, Wolfgang Bumiller wrote:
>On Thu, Aug 29, 2024 at 02:10:47PM GMT, Gabriel Goller wrote:
>> [skip]
>> @@ -88,9 +90,17 @@ impl TlsAcceptorBuilder {
>> .context("failed to set tls acceptor certificate")?;
>> }
>> Some(Tls::FilesPem(key, cert)) => {
>> + let key_content =
>> + file_read_string(key).context("Failed to read from private key file")?;
>
>Why not `std::fs::read()`? openssl expects bytes below, the utf-8 check
>is unnecessary.
>(just include the path via `.with_context(|| format!(...))`)
Good point!
>> acceptor
>> - .set_private_key_file(key, SslFiletype::PEM)
>> + .set_private_key(PKey::private_key_from_pem(key_content.as_bytes())?.as_ref())
>> .context("failed to set tls acceptor private key file")?;
>> +
>> + {
>> + // Check the permissions by opening the file
>> + let _cert_fd = std::fs::File::open(&cert)
>> + .context(format!("Failed to open certificate at {:?}", cert))?;
>
>use `.with_context` to avoid formatting the string when no error
>happens.
Done as well, thanks for the review!
Submitted a v3.
More information about the pbs-devel
mailing list