Mirrors/yggdrasil-go
1
0
Fork 0
mirror of https://github.com/yggdrasil-network/yggdrasil-go.git synced 2026-05-21 13:26:29 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
9184cd23e5df528d23b41ec1da5a2efca38f18b2
yggdrasil-go/contrib/openrc/yggdrasil
mirefly42 df48ac2ada Fix default config permissions (#1253) 
Currently, all init scripts, except for systemd, will generate a config
file with default permissions, which is usually `rw-r--r--`.
This is bad, because the config contains a private key.

The systemd service does `chmod 640` after creating the config, which is
much better than just leaving it readable for everyone forever, but
there is still a slight chance that some malicious program might steal
the private key during the time window between key creation and chmod.

For this reason, in this pull request I use `umask 037`, so the config
won't have read permission for others in the first place.

Note that I have only tested openrc and systemd services.

Also, I'm not sure what to do with the contrib/msi/build-msi.sh script,
which creates a bat file that generates a config. I don't know anything
about file permissions on windows, however, it seems that the bat file
generates the config into a user's personal directory, so maybe it's
already somewhat fine.
2026-01-18 14:58:00 +00:00

49 lines
1.0 KiB
Plaintext
Executable File
Raw Blame History

#!/sbin/openrc-run
description="An experiment in scalable routing as an encrypted IPv6 overlay network."
CONFFILE="/etc/yggdrasil.conf"
pidfile="/run/${RC_SVCNAME}.pid"
command="/usr/bin/yggdrasil"
depend() {
use net dns logger
}
start_pre() {
if [ ! -f "${CONFFILE}" ]; then
ebegin "Generating new configuration file into ${CONFFILE}"
if ! (umask 037 && eval ${command} -genconf > ${CONFFILE}); then
eerror "Failed to generate configuration file"
exit 1
fi
fi
if [ ! -e /dev/net/tun ]; then
ebegin "Inserting TUN module"
if ! modprobe tun; then
eerror "Failed to insert TUN kernel module"
exit 1
fi
fi
}
start() {
ebegin "Starting ${RC_SVCNAME}"
start-stop-daemon --start --quiet \
--pidfile "${pidfile}" \
--make-pidfile \
--background \
--stdout /var/log/yggdrasil.stdout.log \
--stderr /var/log/yggdrasil.stderr.log \
--exec "${command}" -- -useconffile "${CONFFILE}"
eend $?
}
stop() {
ebegin "Stopping ${RC_SVCNAME}"
start-stop-daemon --stop --pidfile "${pidfile}" --exec "${command}"
eend $?
}
Reference in New Issue View Git Blame Copy Permalink