wg-quick: linux: check for CAP_NET_ADMIN and config file access before auto_su

This way people can use wg-quick in situations where they only have
CAP_NET_ADMIN but not other capabilities, and are operating on writable
files.

Suggested-by: Jonny Fillmore <jonathon.fillmore@netprotect.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

diff --git a/src/wg-quick/linux.bash b/src/wg-quick/linux.bash
index e4d4c4f08fc32b14ec3942d10fa951c39de16899..3a17a4d5c9a3a0d39568a6eaa330d776c9143be2 100755 (executable)
--- a/src/wg-quick/linux.bash
+++ b/src/wg-quick/linux.bash
@@ -81,8 +81,27 @@ read_bool() {
        esac
 }
 
+has_cap_net_admin() {
+       local line
+       while read -r line; do
+               [[ $line =~ ^CapEff:\   [0-9a-f]*([0-9a-f])[0-9a-f]{3}$ ]] || continue
+               (( 0x${BASH_REMATCH[1]} & 1 != 0 )) && return 0
+               return 1
+       done < /proc/self/status
+       return 1
+}
+
+config_file_is_writable() {
+       local cf="$1"
+       [[ $cf =~ ^[a-zA-Z0-9_=+.-]{1,15}$ ]] && CONFIG_FILE="/etc/wireguard/$cf.conf"
+       [[ -w $cf ]] && return 0
+       return 1
+}
+
 auto_su() {
-       [[ $UID == 0 ]] || exec sudo -p "$PROGRAM must be run as root. Please enter the password for %u to continue: " -- "$BASH" -- "$SELF" "${ARGS[@]}"
+       [[ $UID == 0 ]] && return 0
+       has_cap_net_admin && config_file_is_writable "${ARGS[2]}" && return 0
+       exec sudo -p "$PROGRAM must be run as root. Please enter the password for %u to continue: " -- "$BASH" -- "$SELF" "${ARGS[@]}"
 }
 
 add_if() {