From 0b711689b39bc9f5bd17457ecc3ec5723f6f7f5c Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Thu, 5 Jan 2017 19:57:50 +0100
Subject: tools: wg-quick: enforce good permissions

---
 src/tools/Makefile      | 3 ++-
 src/tools/wg-quick.bash | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/tools/Makefile b/src/tools/Makefile
index 8160cc9..fee7951 100644
--- a/src/tools/Makefile
+++ b/src/tools/Makefile
@@ -1,6 +1,7 @@
 PKG_CONFIG ?= pkg-config
 PREFIX ?= /usr
 DESTDIR ?=
+SYSCONFDIR ?= /etc
 BINDIR ?= $(PREFIX)/bin
 LIBDIR ?= $(PREFIX)/lib
 MANDIR ?= $(PREFIX)/share/man
@@ -54,7 +55,7 @@ install: wg
 	@[ "$(WITH_BASHCOMPLETION)" = "yes" ] || exit 0; \
 	install -v -d "$(DESTDIR)$(BASHCOMPDIR)" && install -m 0644 -v completion/wg.bash-completion "$(DESTDIR)$(BASHCOMPDIR)/wg"
 	@[ "$(WITH_WGQUICK)" = "yes" ] || exit 0; \
-	install -m 0755 -v wg-quick.bash "$(DESTDIR)$(BINDIR)/wg-quick"
+	install -m 0755 -v wg-quick.bash "$(DESTDIR)$(BINDIR)/wg-quick" && install -m 0700 -v -d "$(DESTDIR)$(SYSCONFDIR)/wireguard"
 	@[ "$(WITH_WGQUICK)" = "yes" ] || exit 0; \
 	install -m 0644 -v wg-quick.8 "$(DESTDIR)$(MANDIR)/man8/wg-quick.8"
 	@[ "$(WITH_WGQUICK)" = "yes" -a "$(WITH_BASHCOMPLETION)" = "yes" ] || exit 0; \
diff --git a/src/tools/wg-quick.bash b/src/tools/wg-quick.bash
index e686d73..c9157ad 100755
--- a/src/tools/wg-quick.bash
+++ b/src/tools/wg-quick.bash
@@ -27,6 +27,7 @@ parse_options() {
 	[[ $CONFIG_FILE =~ ^[a-zA-Z0-9_=+.-]{1,16}$ ]] && CONFIG_FILE="/etc/wireguard/$CONFIG_FILE.conf"
 	[[ -e $CONFIG_FILE ]] || die "\`$CONFIG_FILE' does not exist"
 	[[ $CONFIG_FILE =~ /?([a-zA-Z0-9_=+.-]{1,16})\.conf$ ]] || die "The config file must be a valid interface name, followed by .conf"
+	((($(stat -c '%#a' "$CONFIG_FILE") & 0007) == 0)) || echo "Warning: \`$CONFIG_FILE' is world accessible" >&2
 	INTERFACE="${BASH_REMATCH[1]}"
 	shopt -s nocasematch
 	while read -r line; do
-- 
cgit v1.2.3-59-g8ed1b