From 9cf0a759407391589fb3cca3b224b6adcccef188 Mon Sep 17 00:00:00 2001 From: mirefly42 <143206683+mirefly42@users.noreply.github.com> Date: Fri, 2 May 2025 14:44:58 +0700 Subject: [PATCH 1/7] Prevent openrc service from generating a config readable by everyone --- contrib/openrc/yggdrasil | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/openrc/yggdrasil b/contrib/openrc/yggdrasil index aece8ecb..f77b2603 100755 --- a/contrib/openrc/yggdrasil +++ b/contrib/openrc/yggdrasil @@ -14,7 +14,7 @@ depend() { start_pre() { if [ ! -f "${CONFFILE}" ]; then ebegin "Generating new configuration file into ${CONFFILE}" - if ! eval ${command} -genconf > ${CONFFILE}; then + if ! (umask 037 && eval ${command} -genconf > ${CONFFILE}); then eerror "Failed to generate configuration file" exit 1 fi From d372b033b60a0cc9e42dcfb0665356454aace729 Mon Sep 17 00:00:00 2001 From: mirefly42 <143206683+mirefly42@users.noreply.github.com> Date: Fri, 2 May 2025 15:41:26 +0700 Subject: [PATCH 2/7] Prevent systemd service from generating a config readable by everyone --- contrib/systemd/yggdrasil-default-config.service | 1 + contrib/systemd/yggdrasil-default-config.service.debian | 1 + 2 files changed, 2 insertions(+) diff --git a/contrib/systemd/yggdrasil-default-config.service b/contrib/systemd/yggdrasil-default-config.service index e9fe45be..37842f43 100644 --- a/contrib/systemd/yggdrasil-default-config.service +++ b/contrib/systemd/yggdrasil-default-config.service @@ -8,6 +8,7 @@ After=local-fs.target [Service] Type=oneshot Group=yggdrasil +UMask=037 StandardOutput=file:/etc/yggdrasil.conf ExecStart=/usr/bin/yggdrasil -genconf ExecStartPost=/usr/bin/chmod 0640 /etc/yggdrasil.conf diff --git a/contrib/systemd/yggdrasil-default-config.service.debian b/contrib/systemd/yggdrasil-default-config.service.debian index dc3fdc5a..0ed7c2e5 100644 --- a/contrib/systemd/yggdrasil-default-config.service.debian +++ b/contrib/systemd/yggdrasil-default-config.service.debian @@ -8,6 +8,7 @@ After=local-fs.target [Service] Type=oneshot Group=yggdrasil +UMask=037 ExecStartPre=/usr/bin/mkdir -p /etc/yggdrasil ExecStart=/usr/bin/yggdrasil -genconf > /etc/yggdrasil/yggdrasil.conf ExecStartPost=/usr/bin/chmod -R 0640 /etc/yggdrasil From 3c226e26ec018669ec60825c41cbee573f67dbdd Mon Sep 17 00:00:00 2001 From: mirefly42 <143206683+mirefly42@users.noreply.github.com> Date: Fri, 2 May 2025 15:43:30 +0700 Subject: [PATCH 3/7] Prevent busybox-init service from generating a config readable by everyone --- contrib/busybox-init/S42yggdrasil | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/busybox-init/S42yggdrasil b/contrib/busybox-init/S42yggdrasil index 862efc25..04dc791d 100755 --- a/contrib/busybox-init/S42yggdrasil +++ b/contrib/busybox-init/S42yggdrasil @@ -3,7 +3,7 @@ CONFFILE="/etc/yggdrasil.conf" genconf() { - /usr/bin/yggdrasil -genconf > "$1" + (umask 037 && /usr/bin/yggdrasil -genconf > "$1") return $? } From e7c0bd20dc01cb14071f06dec52dd93c9cc8dc62 Mon Sep 17 00:00:00 2001 From: mirefly42 <143206683+mirefly42@users.noreply.github.com> Date: Fri, 2 May 2025 15:54:59 +0700 Subject: [PATCH 4/7] Prevent freebsd service from generating a config readable by everyone --- contrib/freebsd/yggdrasil | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/freebsd/yggdrasil b/contrib/freebsd/yggdrasil index 58482fc9..10fc0509 100644 --- a/contrib/freebsd/yggdrasil +++ b/contrib/freebsd/yggdrasil @@ -33,7 +33,7 @@ yggdrasil_start() test ! -f /etc/yggdrasil.conf && ( logger -s -t yggdrasil "Generating new configuration file into /etc/yggdrasil.conf" - /usr/local/bin/yggdrasil -genconf > /etc/yggdrasil.conf + (umask 037 && /usr/local/bin/yggdrasil -genconf > /etc/yggdrasil.conf) ) tap_path="$(cat /etc/yggdrasil.conf | egrep -o '/dev/tap[0-9]{1,2}$')" From ed0dc0d11577c2b9abd24625b70928b06861425d Mon Sep 17 00:00:00 2001 From: mirefly42 <143206683+mirefly42@users.noreply.github.com> Date: Fri, 2 May 2025 16:05:28 +0700 Subject: [PATCH 5/7] Prevent deb package postinst script from generating a config readable by everyone --- contrib/deb/generate.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/deb/generate.sh b/contrib/deb/generate.sh index 5731827c..acc81a07 100644 --- a/contrib/deb/generate.sh +++ b/contrib/deb/generate.sh @@ -108,7 +108,7 @@ then chmod 640 /etc/yggdrasil/yggdrasil.conf else echo "Generating initial configuration file /etc/yggdrasil/yggdrasil.conf" - /usr/bin/yggdrasil -genconf > /etc/yggdrasil/yggdrasil.conf + (umask 037 && /usr/bin/yggdrasil -genconf > /etc/yggdrasil/yggdrasil.conf) chown root:yggdrasil /etc/yggdrasil/yggdrasil.conf chmod 640 /etc/yggdrasil/yggdrasil.conf From 39711d4c87cbc037955a6abefe1abb98939a0f92 Mon Sep 17 00:00:00 2001 From: mirefly42 <143206683+mirefly42@users.noreply.github.com> Date: Fri, 2 May 2025 17:08:02 +0700 Subject: [PATCH 6/7] Prevent contrib/docker/entrypoint.sh script from generating a config readable by everyone --- contrib/docker/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/docker/entrypoint.sh b/contrib/docker/entrypoint.sh index 26c685a8..5bbf0f0a 100755 --- a/contrib/docker/entrypoint.sh +++ b/contrib/docker/entrypoint.sh @@ -6,7 +6,7 @@ CONF_DIR="/etc/yggdrasil-network" if [ ! -f "$CONF_DIR/config.conf" ]; then echo "generate $CONF_DIR/config.conf" - yggdrasil --genconf > "$CONF_DIR/config.conf" + (umask 037 && yggdrasil --genconf > "$CONF_DIR/config.conf") fi yggdrasil --useconf < "$CONF_DIR/config.conf" From eebee5f6f98a83220fe07bb05129fd2c932eab85 Mon Sep 17 00:00:00 2001 From: mirefly42 <143206683+mirefly42@users.noreply.github.com> Date: Fri, 2 May 2025 17:16:27 +0700 Subject: [PATCH 7/7] Prevent contrib/macos/create-pkg.sh script from generating a config readable by everyone --- contrib/macos/create-pkg.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/macos/create-pkg.sh b/contrib/macos/create-pkg.sh index 773f01ee..9d063d65 100755 --- a/contrib/macos/create-pkg.sh +++ b/contrib/macos/create-pkg.sh @@ -55,7 +55,7 @@ then echo "Normalising /etc/yggdrasil.conf" /usr/local/bin/yggdrasil -useconffile /Library/Preferences/Yggdrasil/yggdrasil.conf.`date +%Y%m%d` -normaliseconf > /etc/yggdrasil.conf else - /usr/local/bin/yggdrasil -genconf > /etc/yggdrasil.conf + (umask 037 && /usr/local/bin/yggdrasil -genconf > /etc/yggdrasil.conf) fi # Unload existing Yggdrasil launchd service, if possible