From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 17 Jul 2020 09:53:22 +0000 (+0200)
Subject: fileio: add explicit flag for generating world executable warning when reading file
X-Git-Tag: v246-rc2~29^2~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f294470262fed5dffbfd055b0054370dc3021662;p=thirdparty%2Fsystemd.git

fileio: add explicit flag for generating world executable warning when reading file
---

diff --git a/src/basic/fileio.c b/src/basic/fileio.c
index f2f1e1139f7..6478a14097d 100644
--- a/src/basic/fileio.c
+++ b/src/basic/fileio.c
@@ -505,7 +505,7 @@ int read_full_stream_full(
                         if (st.st_size > 0)
                                 n_next = st.st_size + 1;
 
-                        if (flags & READ_FULL_FILE_SECURE)
+                        if (flags & READ_FULL_FILE_WARN_WORLD_READABLE)
                                 (void) warn_file_is_world_accessible(filename, &st, NULL, 0);
                 }
         }
diff --git a/src/basic/fileio.h b/src/basic/fileio.h
index e2830b7963e..4ce51265157 100644
--- a/src/basic/fileio.h
+++ b/src/basic/fileio.h
@@ -32,9 +32,10 @@ typedef enum {
 } WriteStringFileFlags;
 
 typedef enum {
-        READ_FULL_FILE_SECURE   = 1 << 0,
-        READ_FULL_FILE_UNBASE64 = 1 << 1,
-        READ_FULL_FILE_UNHEX    = 1 << 2,
+        READ_FULL_FILE_SECURE              = 1 << 0,
+        READ_FULL_FILE_UNBASE64            = 1 << 1,
+        READ_FULL_FILE_UNHEX               = 1 << 2,
+        READ_FULL_FILE_WARN_WORLD_READABLE = 1 << 3,
 } ReadFullFileFlags;
 
 int fopen_unlocked(const char *path, const char *options, FILE **ret);
diff --git a/src/network/netdev/macsec.c b/src/network/netdev/macsec.c
index 57d8f567b96..ab55a4a4894 100644
--- a/src/network/netdev/macsec.c
+++ b/src/network/netdev/macsec.c
@@ -983,7 +983,7 @@ static int macsec_read_key_file(NetDev *netdev, SecurityAssociation *sa) {
 
         (void) warn_file_is_world_accessible(sa->key_file, NULL, NULL, 0);
 
-        r = read_full_file_full(AT_FDCWD, sa->key_file, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNHEX, (char **) &key, &key_len);
+        r = read_full_file_full(AT_FDCWD, sa->key_file, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNHEX | READ_FULL_FILE_WARN_WORLD_READABLE, (char **) &key, &key_len);
         if (r < 0)
                 return log_netdev_error_errno(netdev, r,
                                               "Failed to read key from '%s', ignoring: %m",
diff --git a/src/network/netdev/wireguard.c b/src/network/netdev/wireguard.c
index b6af9925b74..9636ac77367 100644
--- a/src/network/netdev/wireguard.c
+++ b/src/network/netdev/wireguard.c
@@ -888,7 +888,7 @@ static int wireguard_read_key_file(const char *filename, uint8_t dest[static WG_
 
         (void) warn_file_is_world_accessible(filename, NULL, NULL, 0);
 
-        r = read_full_file_full(AT_FDCWD, filename, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNBASE64, &key, &key_len);
+        r = read_full_file_full(AT_FDCWD, filename, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNBASE64 | READ_FULL_FILE_WARN_WORLD_READABLE, &key, &key_len);
         if (r < 0)
                 return r;