Currently, all init scripts, except for systemd, will generate a config
file with default permissions, which is usually `rw-r--r--`.
This is bad, because the config contains a private key.
The systemd service does `chmod 640` after creating the config, which is
much better than just leaving it readable for everyone forever, but
there is still a slight chance that some malicious program might steal
the private key during the time window between key creation and chmod.
For this reason, in this pull request I use `umask 037`, so the config
won't have read permission for others in the first place.
Note that I have only tested openrc and systemd services.
Also, I'm not sure what to do with the contrib/msi/build-msi.sh script,
which creates a bat file that generates a config. I don't know anything
about file permissions on windows, however, it seems that the bat file
generates the config into a user's personal directory, so maybe it's
already somewhat fine.
* Update Debian package
* Don't put `AdminListen` in config by default, fix path in Debian package
* Fix path in unit file
* Preserve original service files for other packages
---------
Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
The AppArmor profile in contrib forbids `/usr/bin/yggdrasil` from reading the file in `/var/backups/yggdrasil.conf...`. This works around that restriction by having the shell do the reading of `/var/backups/yggdrasil.conf...` file while providing the same exact functionality without making the AppArmor profile less restrictive.
Another change is the safe perms for the `/etc/yggdrasil.conf` (so that config will have 0640 permissions). This is important because if we kept the default of 644 then any user (privileged or unprivileged) will have the ability to read the yggdrasil private key. We use a restrictive umask of 0027 to make this possible.
It now won't enable itself automatically on install and it will
only start Yggdrasil if enabled in systemd. It also won't break
during install on systems where systemd is not present.
* switch address range from fd00::/8 to the deprecated 0200::/7 range
* Fix launchd script path and amend debian control file
* fix address/prefix code, platform specific parts still need testing
* macos
* cleanup old ugly session MTU code that only mattered with lossy UDP fragments
* Fix debian control file
* Let's try this again
* tcp/socks cleanup
* comment
* avoid the proxy.SOCK5 connection attempt unless we're actually going to use the dialer
* Update generate.sh
* prevent parent nodes from forcing coord oscillation, have dht.handleRes clean up the old request info immediately
* address range changes
* Update README.md
Consistently remove leading zeros from addresses in the readme.
* Update yggdrasil.go
* Collect yggdrasilctl during CI build
* Fix CircleCI after fat-fingered copypasta
* Fix for Windows
* clean up main yggdrasil.go imports and run gofmt
