/etc/proxmox-backup permissions enforcement

[jg1]

Hi i recently set up proxmox backup server and want to use caddy as a reverse proxy in front of it as I do for all services. I use the built in acme service to get my certificates and add the caddy user to the backup group so i can access the certificates int /etc/proxmox-backup. Unfortunately the proxmox-backup-api refuses to run because the permissions on the folder is set to 750 to give caddy access. I don't see any reason to have such enforcement mechanisms in place. It should be up to the system administrator to handle permissions.

proxmox-backup-api[6901]: Error: configuration directory '/etc/proxmox-backup' permission problem - wrong permission (750 != 700)

Is there a config to allow this?

 

[ggoller]

Hi!
this has been done because of security reasons. There is some sensitive data in the config folder such as: passwords of remotes, authentication keys, etc.
I don't see why you would reuse the pbs certificate on your reverse proxy though?

 

[jg1]

I ended up generating certificates separately and skipping certificate verification for the backend which I think is a better solution. I still don't think the 700 permission enforcement is very useful. Suppose the reverse proxy gets compromised. If it has read access to /etc/proxmox-backup or not doesn't really matter, it is game over for the backup server either way.