From: Jason A. Donenfeld <Jason@zx2c4.com>
Date: Sun, 1 Oct 2017 20:05:19 +0000 (+0200)
Subject: wg-quick: check permissions of parent directory
X-Git-Tag: v1.0.20191226~217
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=83caaa7a96f87dea0687003fe1cae531aec5a5b5;p=thirdparty%2Fwireguard-tools.git

wg-quick: check permissions of parent directory

Also prefix octal 0, in case these files are actually of modes that
don't start with 0 by accident (such as SUID or sticky bit).

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---

diff --git a/src/wg-quick.bash b/src/wg-quick.bash
index 5295c8b..015df85 100755
--- a/src/wg-quick.bash
+++ b/src/wg-quick.bash
@@ -30,7 +30,7 @@ parse_options() {
 	[[ $CONFIG_FILE =~ ^[a-zA-Z0-9_=+.-]{1,16}$ ]] && CONFIG_FILE="/etc/wireguard/$CONFIG_FILE.conf"
 	[[ -e $CONFIG_FILE ]] || die "\`$CONFIG_FILE' does not exist"
 	[[ $CONFIG_FILE =~ /?([a-zA-Z0-9_=+.-]{1,16})\.conf$ ]] || die "The config file must be a valid interface name, followed by .conf"
-	((($(stat -c '%#a' "$CONFIG_FILE") & 0007) == 0)) || echo "Warning: \`$CONFIG_FILE' is world accessible" >&2
+	((($(stat -c '0%#a' "$CONFIG_FILE") & $(stat -c '0%#a' "/etc/wireguard") & 0007) == 0)) || echo "Warning: \`$CONFIG_FILE' is world accessible" >&2
 	INTERFACE="${BASH_REMATCH[1]}"
 	shopt -s nocasematch
 	while read -r line || [[ -n $line ]]; do