/etc/netstart permissions

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

/etc/netstart permissions

Julien Dhaille
Hello guys.
Some deployment or configuration management tools can sometimes create or alter /etc/mygate.
/etc/netstart fix the permissions for hostname.* so I thought maybe it could be useful to also check and fix the permissions of /etc/mygate

greetings

Index: etc/netstart
===================================================================
RCS file: /cvs/src/etc/netstart,v
retrieving revision 1.197
diff -u -p -u -p -r1.197 netstart
--- etc/netstart        4 Mar 2018 10:12:26 -0000       1.197
+++ etc/netstart        25 Mar 2018 17:41:31 -0000
@@ -19,6 +19,17 @@ stripcom() {
        done <$_file
 }

+# Check the current permissions on hostname.if files and /etc/mygate
+set_permissions() {
+       local _inter=$1
+       set -A _stat -- $(ls -nL $_inter)
+       if [[ "${_stat[0]}${_stat[2]}${_stat[3]}" != *---00 ]]; then
+               print -u2 "WARNING: $_inter is insecure, fixing permissions."
+               chmod -LR o-rwx $_inter
+               chown -LR root:wheel $_inter
+       fi
+}
+
 # Parse and "unpack" a hostname.if(5) line given as positional parameters.
 # Fill the _cmds array with the resulting interface configuration commands.
 parse_hn_line() {
@@ -100,7 +111,7 @@ vifscreate() {
 # Start a single interface.
 # Usage: ifstart if1
 ifstart() {
-       local _if=$1 _hn=/etc/hostname.$1 _cmds _i=0 _line _stat
+       local _if=$1 _hn=/etc/hostname.$1 _cmds _i=0 _line
        set -A _cmds

        # Interface names must be alphanumeric only.  We check to avoid
@@ -113,12 +124,7 @@ ifstart() {
        fi

        # Not using stat(1), we can't rely on having /usr yet.
-       set -A _stat -- $(ls -nL $_hn)
-       if [[ "${_stat[0]}${_stat[2]}${_stat[3]}" != *---00 ]]; then
-               print -u2 "WARNING: $_hn is insecure, fixing permissions."
-               chmod -LR o-rwx $_hn
-               chown -LR root:wheel $_hn
-       fi
+       set_permissions $_hn

        # Check for ifconfig'able interface, except if -n option is specified.
        if ! $PRINT_ONLY; then
@@ -193,6 +199,8 @@ defaultroute() {
                        $_cmd && break
                fi
        done
+
+       set_permissions /etc/mygate
 }

 # Get network related vars from rc.conf using the parsing routine from rc.subr.


Reply | Threaded
Open this post in threaded view
|

Re: /etc/netstart permissions

Theo de Raadt-2
no, this isn't worthwhile.

the permission control of /etc/hostname.* files is becuase they can contain
wifi keys, which shouldn't be disclosed

that circumstance does not apply to mygate


> Hello guys.
> Some deployment or configuration management tools can sometimes create or alter /etc/mygate.
> /etc/netstart fix the permissions for hostname.* so I thought maybe it could be useful to also check and fix the permissions of /etc/mygate
>
> greetings
>
> Index: etc/netstart
> ===================================================================
> RCS file: /cvs/src/etc/netstart,v
> retrieving revision 1.197
> diff -u -p -u -p -r1.197 netstart
> --- etc/netstart        4 Mar 2018 10:12:26 -0000       1.197
> +++ etc/netstart        25 Mar 2018 17:41:31 -0000
> @@ -19,6 +19,17 @@ stripcom() {
>         done <$_file
>  }
>
> +# Check the current permissions on hostname.if files and /etc/mygate
> +set_permissions() {
> +       local _inter=$1
> +       set -A _stat -- $(ls -nL $_inter)
> +       if [[ "${_stat[0]}${_stat[2]}${_stat[3]}" != *---00 ]]; then
> +               print -u2 "WARNING: $_inter is insecure, fixing permissions."
> +               chmod -LR o-rwx $_inter
> +               chown -LR root:wheel $_inter
> +       fi
> +}
> +
>  # Parse and "unpack" a hostname.if(5) line given as positional parameters.
>  # Fill the _cmds array with the resulting interface configuration commands.
>  parse_hn_line() {
> @@ -100,7 +111,7 @@ vifscreate() {
>  # Start a single interface.
>  # Usage: ifstart if1
>  ifstart() {
> -       local _if=$1 _hn=/etc/hostname.$1 _cmds _i=0 _line _stat
> +       local _if=$1 _hn=/etc/hostname.$1 _cmds _i=0 _line
>         set -A _cmds
>
>         # Interface names must be alphanumeric only.  We check to avoid
> @@ -113,12 +124,7 @@ ifstart() {
>         fi
>
>         # Not using stat(1), we can't rely on having /usr yet.
> -       set -A _stat -- $(ls -nL $_hn)
> -       if [[ "${_stat[0]}${_stat[2]}${_stat[3]}" != *---00 ]]; then
> -               print -u2 "WARNING: $_hn is insecure, fixing permissions."
> -               chmod -LR o-rwx $_hn
> -               chown -LR root:wheel $_hn
> -       fi
> +       set_permissions $_hn
>
>         # Check for ifconfig'able interface, except if -n option is specified.
>         if ! $PRINT_ONLY; then
> @@ -193,6 +199,8 @@ defaultroute() {
>                         $_cmd && break
>                 fi
>         done
> +
> +       set_permissions /etc/mygate
>  }
>
>  # Get network related vars from rc.conf using the parsing routine from rc.subr.
>
>