PostUp/PreUp/PostDown/PreDown Dangerous?
Jordan Glover
Golden_Miller83 at protonmail.ch
Sat Jun 23 00:13:22 CEST 2018
On June 22, 2018 9:26 PM, Lonnie Abelbeck <lists at lonnie.abelbeck.com> wrote:
> How about not supporting direct execution of commands in the config [Interface] section but rather support an optional path to where a fixed command (ex. wireguard.script) is found...
>
>
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> ActionScriptDir = /usr/local/bin
> --------------------------------
>
> Then instead of executing the PostUp/PostDown/PreUp/PreDown data, the wg-quick script would call:
>
>
> -----------------------------------------------------------------------------------------------------
>
> /usr/local/bin/wireguard.script PRE_UP|PRE_DOWN|POST_UP|POST_DOWN "$INTERFACE"
> ------------------------------------------------------------------------------
>
> 1. When called, the first argument would be one of: PRE_UP|PRE_DOWN|POST_UP|POST_DOWN
> 2. When called, the second argument would be the wireguard interface.
> 3. If ActionScriptDir is not defined, then wireguard.script is not called.
>
> This requires an extra step to be taken to create a wireguard.script file with execute permissions and possibly require specific ownership.
>
> Lonnie
>
But attacker will helpfully provide you customized 'wireguard.script' as well
and even tell you how to use it by setting 'chmod 4777 wireguard.script'.
Jordan
More information about the WireGuard
mailing list