diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2020-08-28 10:58:51 +0200 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2020-08-28 11:04:21 +0200 |
| commit | f3caeab25418d64309b87a76e4d5f53d011e3f40 (patch) | |
| tree | e49f7df5e29ff87b97f6de300bb2f983ae6da3f8 /src/wg-quick/linux.bash | |
| parent | version: bump (diff) | |
| download | wireguard-tools-f3caeab25418d64309b87a76e4d5f53d011e3f40.tar.xz wireguard-tools-f3caeab25418d64309b87a76e4d5f53d011e3f40.zip | |
wg-quick: linux: check for CAP_NET_ADMIN and config file access before auto_sujd/capability-check
This way people can use wg-quick in situations where they only have
CAP_NET_ADMIN but not other capabilities, and are operating on writable
files.
Suggested-by: Jonny Fillmore <jonathon.fillmore@netprotect.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'src/wg-quick/linux.bash')
| -rwxr-xr-x | src/wg-quick/linux.bash | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/src/wg-quick/linux.bash b/src/wg-quick/linux.bash index e4d4c4f..3a17a4d 100755 --- a/src/wg-quick/linux.bash +++ b/src/wg-quick/linux.bash @@ -81,8 +81,27 @@ read_bool() { esac } +has_cap_net_admin() { + local line + while read -r line; do + [[ $line =~ ^CapEff:\ [0-9a-f]*([0-9a-f])[0-9a-f]{3}$ ]] || continue + (( 0x${BASH_REMATCH[1]} & 1 != 0 )) && return 0 + return 1 + done < /proc/self/status + return 1 +} + +config_file_is_writable() { + local cf="$1" + [[ $cf =~ ^[a-zA-Z0-9_=+.-]{1,15}$ ]] && CONFIG_FILE="/etc/wireguard/$cf.conf" + [[ -w $cf ]] && return 0 + return 1 +} + auto_su() { - [[ $UID == 0 ]] || exec sudo -p "$PROGRAM must be run as root. Please enter the password for %u to continue: " -- "$BASH" -- "$SELF" "${ARGS[@]}" + [[ $UID == 0 ]] && return 0 + has_cap_net_admin && config_file_is_writable "${ARGS[2]}" && return 0 + exec sudo -p "$PROGRAM must be run as root. Please enter the password for %u to continue: " -- "$BASH" -- "$SELF" "${ARGS[@]}" } add_if() { |