[PATCH] wg-tools: Fix too strict file permissions on resolv.conf

Florian Bausch fbausch at ernw.de
Sun Feb 5 19:19:20 UTC 2023


Hi,

I hardened my system by setting a strict umask of 077 in 
/etc/login.defs. However, this breaks DNS as soon as wg-quick is used to 
bring up a WireGuard tunnel. This is, because the strict umask value 
will be applied to /etc/resolv.conf (at least if the DNS hatchet is 
used) and therefore, unprivileged processes are not able to read 
/etc/resolv.conf.

While the behavior can be worked around by setting umask in other 
places, the fix below would prevent this behavior to occur. The umask 
022 is applied before creating the new /etc/resolv.conf in the DNS hatchet.

Kind regards

---
  contrib/dns-hatchet/hatchet.bash | 1 +
  1 file changed, 1 insertion(+)

diff --git a/contrib/dns-hatchet/hatchet.bash 
b/contrib/dns-hatchet/hatchet.bash
index bc4d090..807a14a 100644
--- a/contrib/dns-hatchet/hatchet.bash
+++ b/contrib/dns-hatchet/hatchet.bash
@@ -20,6 +20,7 @@ set_dns() {
  		[[ ${#DNS_SEARCH[@]} -eq 0 ]] || printf 'search %s\n' "${DNS_SEARCH[*]}"
  		} | unshare -m --propagation shared bash -c "$(cat <<-_EOF
  			set -e
+			umask 022
  			context="\$(stat -c %C /etc/resolv.conf 2>/dev/null)" || unset context
  			mount --make-private /dev/shm
  			mount -t tmpfs none /dev/shm
-- 
2.39.1



More information about the WireGuard mailing list