[PATCH] wg-tools: Fix too strict file permissions on resolv.conf
Florian Bausch
fbausch at ernw.de
Wed Feb 15 12:54:05 UTC 2023
Hi,
I hardened my system by setting a strict umask of 077 in
/etc/login.defs. However, this breaks DNS as soon as wg-quick is used to
bring up a WireGuard tunnel. This is, because the strict umask value
will be applied to /etc/resolv.conf (at least if the DNS hatchet is
used) and therefore, unprivileged processes are not able to read
/etc/resolv.conf.
While the behavior can be worked around by setting umask in other
places, the fix below would prevent this behavior to occur. The umask
022 is applied before creating the new /etc/resolv.conf in the DNS hatchet.
Kind regards
Signed-off-by: Florian Bausch <fbausch at ernw.de>
---
contrib/dns-hatchet/hatchet.bash | 1 +
1 file changed, 1 insertion(+)
diff --git a/contrib/dns-hatchet/hatchet.bash
b/contrib/dns-hatchet/hatchet.bash
index bc4d090..807a14a 100644
--- a/contrib/dns-hatchet/hatchet.bash
+++ b/contrib/dns-hatchet/hatchet.bash
@@ -20,6 +20,7 @@ set_dns() {
[[ ${#DNS_SEARCH[@]} -eq 0 ]] || printf 'search %s\n' "${DNS_SEARCH[*]}"
} | unshare -m --propagation shared bash -c "$(cat <<-_EOF
set -e
+ umask 022
context="\$(stat -c %C /etc/resolv.conf 2>/dev/null)" || unset context
mount --make-private /dev/shm
mount -t tmpfs none /dev/shm
--
2.39.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4819 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20230215/85ee2ddf/attachment.p7s>
More information about the WireGuard
mailing list