mirror of
https://github.com/yggdrasil-network/yggdrasil-go.git
synced 2026-05-21 05:16:29 +03:00
df48ac2ada
Currently, all init scripts, except for systemd, will generate a config file with default permissions, which is usually `rw-r--r--`. This is bad, because the config contains a private key. The systemd service does `chmod 640` after creating the config, which is much better than just leaving it readable for everyone forever, but there is still a slight chance that some malicious program might steal the private key during the time window between key creation and chmod. For this reason, in this pull request I use `umask 037`, so the config won't have read permission for others in the first place. Note that I have only tested openrc and systemd services. Also, I'm not sure what to do with the contrib/msi/build-msi.sh script, which creates a bat file that generates a config. I don't know anything about file permissions on windows, however, it seems that the bat file generates the config into a user's personal directory, so maybe it's already somewhat fine.
15 lines
422 B
Plaintext
15 lines
422 B
Plaintext
[Unit]
|
|
Description=Yggdrasil default config generator
|
|
ConditionPathExists=|!/etc/yggdrasil/yggdrasil.conf
|
|
ConditionFileNotEmpty=|!/etc/yggdrasil/yggdrasil.conf
|
|
Wants=local-fs.target
|
|
After=local-fs.target
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
Group=yggdrasil
|
|
UMask=037
|
|
ExecStartPre=/usr/bin/mkdir -p /etc/yggdrasil
|
|
ExecStart=/usr/bin/yggdrasil -genconf > /etc/yggdrasil/yggdrasil.conf
|
|
ExecStartPost=/usr/bin/chmod -R 0640 /etc/yggdrasil
|