* [PATCH] wg-tools: Fix too strict file permissions on resolv.conf
@ 2023-02-05 19:19 Florian Bausch
2023-02-07 22:54 ` Jason A. Donenfeld
0 siblings, 1 reply; 4+ messages in thread
From: Florian Bausch @ 2023-02-05 19:19 UTC (permalink / raw)
To: wireguard
Hi,
I hardened my system by setting a strict umask of 077 in
/etc/login.defs. However, this breaks DNS as soon as wg-quick is used to
bring up a WireGuard tunnel. This is, because the strict umask value
will be applied to /etc/resolv.conf (at least if the DNS hatchet is
used) and therefore, unprivileged processes are not able to read
/etc/resolv.conf.
While the behavior can be worked around by setting umask in other
places, the fix below would prevent this behavior to occur. The umask
022 is applied before creating the new /etc/resolv.conf in the DNS hatchet.
Kind regards
---
contrib/dns-hatchet/hatchet.bash | 1 +
1 file changed, 1 insertion(+)
diff --git a/contrib/dns-hatchet/hatchet.bash
b/contrib/dns-hatchet/hatchet.bash
index bc4d090..807a14a 100644
--- a/contrib/dns-hatchet/hatchet.bash
+++ b/contrib/dns-hatchet/hatchet.bash
@@ -20,6 +20,7 @@ set_dns() {
[[ ${#DNS_SEARCH[@]} -eq 0 ]] || printf 'search %s\n' "${DNS_SEARCH[*]}"
} | unshare -m --propagation shared bash -c "$(cat <<-_EOF
set -e
+ umask 022
context="\$(stat -c %C /etc/resolv.conf 2>/dev/null)" || unset context
mount --make-private /dev/shm
mount -t tmpfs none /dev/shm
--
2.39.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] wg-tools: Fix too strict file permissions on resolv.conf
2023-02-05 19:19 [PATCH] wg-tools: Fix too strict file permissions on resolv.conf Florian Bausch
@ 2023-02-07 22:54 ` Jason A. Donenfeld
2023-02-15 12:54 ` Florian Bausch
0 siblings, 1 reply; 4+ messages in thread
From: Jason A. Donenfeld @ 2023-02-07 22:54 UTC (permalink / raw)
To: fbausch; +Cc: wireguard
Thanks.
Can you send this with a `Signed-off-by:` line like every commit in
that repository does, please? Then I'll apply this.
Jason
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] wg-tools: Fix too strict file permissions on resolv.conf
2023-02-07 22:54 ` Jason A. Donenfeld
@ 2023-02-15 12:54 ` Florian Bausch
2023-02-15 12:55 ` Florian Bausch
0 siblings, 1 reply; 4+ messages in thread
From: Florian Bausch @ 2023-02-15 12:54 UTC (permalink / raw)
To: wireguard
[-- Attachment #1: Type: text/plain, Size: 1252 bytes --]
Hi,
I hardened my system by setting a strict umask of 077 in
/etc/login.defs. However, this breaks DNS as soon as wg-quick is used to
bring up a WireGuard tunnel. This is, because the strict umask value
will be applied to /etc/resolv.conf (at least if the DNS hatchet is
used) and therefore, unprivileged processes are not able to read
/etc/resolv.conf.
While the behavior can be worked around by setting umask in other
places, the fix below would prevent this behavior to occur. The umask
022 is applied before creating the new /etc/resolv.conf in the DNS hatchet.
Kind regards
Signed-off-by: Florian Bausch <fbausch@ernw.de>
---
contrib/dns-hatchet/hatchet.bash | 1 +
1 file changed, 1 insertion(+)
diff --git a/contrib/dns-hatchet/hatchet.bash
b/contrib/dns-hatchet/hatchet.bash
index bc4d090..807a14a 100644
--- a/contrib/dns-hatchet/hatchet.bash
+++ b/contrib/dns-hatchet/hatchet.bash
@@ -20,6 +20,7 @@ set_dns() {
[[ ${#DNS_SEARCH[@]} -eq 0 ]] || printf 'search %s\n' "${DNS_SEARCH[*]}"
} | unshare -m --propagation shared bash -c "$(cat <<-_EOF
set -e
+ umask 022
context="\$(stat -c %C /etc/resolv.conf 2>/dev/null)" || unset context
mount --make-private /dev/shm
mount -t tmpfs none /dev/shm
--
2.39.1
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4819 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] wg-tools: Fix too strict file permissions on resolv.conf
2023-02-15 12:54 ` Florian Bausch
@ 2023-02-15 12:55 ` Florian Bausch
0 siblings, 0 replies; 4+ messages in thread
From: Florian Bausch @ 2023-02-15 12:55 UTC (permalink / raw)
To: wireguard
(This time without signature)
Hi,
I hardened my system by setting a strict umask of 077 in
/etc/login.defs. However, this breaks DNS as soon as wg-quick is used to
bring up a WireGuard tunnel. This is, because the strict umask value
will be applied to /etc/resolv.conf (at least if the DNS hatchet is
used) and therefore, unprivileged processes are not able to read
/etc/resolv.conf.
While the behavior can be worked around by setting umask in other
places, the fix below would prevent this behavior to occur. The umask
022 is applied before creating the new /etc/resolv.conf in the DNS hatchet.
Kind regards
Signed-off-by: Florian Bausch <fbausch@ernw.de>
---
contrib/dns-hatchet/hatchet.bash | 1 +
1 file changed, 1 insertion(+)
diff --git a/contrib/dns-hatchet/hatchet.bash
b/contrib/dns-hatchet/hatchet.bash
index bc4d090..807a14a 100644
--- a/contrib/dns-hatchet/hatchet.bash
+++ b/contrib/dns-hatchet/hatchet.bash
@@ -20,6 +20,7 @@ set_dns() {
[[ ${#DNS_SEARCH[@]} -eq 0 ]] || printf 'search %s\n'
"${DNS_SEARCH[*]}"
} | unshare -m --propagation shared bash -c "$(cat <<-_EOF
set -e
+ umask 022
context="\$(stat -c %C /etc/resolv.conf 2>/dev/null)" ||
unset context
mount --make-private /dev/shm
mount -t tmpfs none /dev/shm
--
2.39.1
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-02-15 12:58 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-05 19:19 [PATCH] wg-tools: Fix too strict file permissions on resolv.conf Florian Bausch
2023-02-07 22:54 ` Jason A. Donenfeld
2023-02-15 12:54 ` Florian Bausch
2023-02-15 12:55 ` Florian Bausch
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).