Hi Mike-- On Sun 2018-07-01 13:16:56 -0700, Mike Swanson wrote:
> When installing wireguard-tools, the /etc/wireguard directory is created
> that can contain configuration files for the wg-quick service to use.
>
> These configuration files will contain the private key of the local
> machine for the VPN configuration, and as such, the default mode (755)
> for the directory is unsuitable for production use, since it creates an
> opportunity for any user to be able to print out the contents of the
> configuration files (if they were not changed to mode 600 themselves),
> and potentially break the security model of the Wireguard VPN altogether.
as you identify, the mode of the files in /etc/wireguard/ are indeed the
relevant features, not the mode of the parent directory itself.
I'd argue that if the local admin is putting secrets in those files, the
local admin should be responsible for locking them down correctly, and
probably shouldn't rely on the permissions of /etc/wireguard/.
> I propose changing the default mode of the /etc/wireguard directory to 600.
> I do this on my own machines and there is no functionality impact for the
> software, only that the private keys become completely inaccessible for
> anyone but root.
that would also mean that the user of the system cannot see what config
files are available (e.g. for tab completion of "sudo wg-quick up
<TAB>").
I'm willing to make this change if there are no objections, but it'd be
great to get a clearer sense from other users whether this is a sensible
thing to do.
--dkg
signature.asc
Description: PGP signature
