mirror of
https://github.com/yggdrasil-network/yggdrasil-go.git
synced 2026-05-21 05:16:29 +03:00
df48ac2ada
Currently, all init scripts, except for systemd, will generate a config file with default permissions, which is usually `rw-r--r--`. This is bad, because the config contains a private key. The systemd service does `chmod 640` after creating the config, which is much better than just leaving it readable for everyone forever, but there is still a slight chance that some malicious program might steal the private key during the time window between key creation and chmod. For this reason, in this pull request I use `umask 037`, so the config won't have read permission for others in the first place. Note that I have only tested openrc and systemd services. Also, I'm not sure what to do with the contrib/msi/build-msi.sh script, which creates a bat file that generates a config. I don't know anything about file permissions on windows, however, it seems that the bat file generates the config into a user's personal directory, so maybe it's already somewhat fine.
19 lines
407 B
Bash
Executable File
19 lines
407 B
Bash
Executable File
#!/usr/bin/env sh
|
|
|
|
set -e
|
|
|
|
CONF_DIR="/etc/yggdrasil-network"
|
|
|
|
if [ ! -f "$CONF_DIR/config.conf" ]; then
|
|
echo "generate $CONF_DIR/config.conf"
|
|
(umask 037 && yggdrasil --genconf > "$CONF_DIR/config.conf")
|
|
fi
|
|
|
|
if [ -n "$ALLOW_IPV6_FORWARDING" ]; then
|
|
echo "set sysctl -w net.ipv6.conf.all.forwarding=1"
|
|
sysctl -w net.ipv6.conf.all.forwarding=1
|
|
fi
|
|
|
|
yggdrasil --useconf < "$CONF_DIR/config.conf"
|
|
exit $?
|