diff options
| author | Yu Watanabe <watanabe.yu+github@gmail.com> | 2019-09-12 12:02:28 +0900 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-09-12 12:02:28 +0900 |
| commit | 7d79cc96ea4e730271b54945d981bbaf73ca1742 (patch) | |
| tree | 863010b68a3acbd503fc701f3be06e1049950c4b | |
| parent | 26fe3af8ae7d52847eb3f2267eaa3df3af90d811 (diff) | |
| parent | be7110826eb4d7d0fafee4790562e0dedb9d817b (diff) | |
| download | systemd-7d79cc96ea4e730271b54945d981bbaf73ca1742.tar.gz | |
Merge pull request #13526 from yuwata/network-check-access-mode-of-key-file
network: check access mode of key file
| -rw-r--r-- | src/basic/fileio.c | 4 | ||||
| -rw-r--r-- | src/network/netdev/macsec.c | 2 | ||||
| -rw-r--r-- | src/network/netdev/netdev.c | 2 | ||||
| -rw-r--r-- | src/network/netdev/wireguard.c | 2 | ||||
| -rw-r--r-- | src/network/networkd-network.c | 2 |
5 files changed, 8 insertions, 4 deletions
diff --git a/src/basic/fileio.c b/src/basic/fileio.c index 623e43e4ca..a9c0fd20e1 100644 --- a/src/basic/fileio.c +++ b/src/basic/fileio.c @@ -930,10 +930,10 @@ int warn_file_is_world_accessible(const char *filename, struct stat *st, const c if (unit) log_syntax(unit, LOG_WARNING, filename, line, 0, - "%s has %04o mode that is too permissive, please adjust the access mode.", + "%s has %04o mode that is too permissive, please adjust the ownership and access mode.", filename, st->st_mode & 07777); else - log_warning("%s has %04o mode that is too permissive, please adjust the access mode.", + log_warning("%s has %04o mode that is too permissive, please adjust the ownership and access mode.", filename, st->st_mode & 07777); return 0; } diff --git a/src/network/netdev/macsec.c b/src/network/netdev/macsec.c index cf281e75a6..d1d65a69bf 100644 --- a/src/network/netdev/macsec.c +++ b/src/network/netdev/macsec.c @@ -981,6 +981,8 @@ static int macsec_read_key_file(NetDev *netdev, SecurityAssociation *sa) { if (!sa->key_file) return 0; + (void) warn_file_is_world_accessible(sa->key_file, NULL, NULL, 0); + r = read_full_file_full(sa->key_file, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNHEX, (char **) &key, &key_len); if (r < 0) return log_netdev_error_errno(netdev, r, diff --git a/src/network/netdev/netdev.c b/src/network/netdev/netdev.c index 7735b455b7..7853e197f1 100644 --- a/src/network/netdev/netdev.c +++ b/src/network/netdev/netdev.c @@ -844,7 +844,7 @@ int netdev_load(Manager *manager) { STRV_FOREACH(f, files) { r = netdev_load_one(manager, *f); if (r < 0) - return r; + log_error_errno(r, "Failed to load %s, ignoring: %m", *f); } return 0; diff --git a/src/network/netdev/wireguard.c b/src/network/netdev/wireguard.c index 913ee2a058..a40b32d148 100644 --- a/src/network/netdev/wireguard.c +++ b/src/network/netdev/wireguard.c @@ -901,6 +901,8 @@ static int wireguard_read_key_file(const char *filename, uint8_t dest[static WG_ assert(dest); + (void) warn_file_is_world_accessible(filename, NULL, NULL, 0); + r = read_full_file_full(filename, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNBASE64, &key, &key_len); if (r < 0) return r; diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c index 2b8d0eb2fb..fe81f1b720 100644 --- a/src/network/networkd-network.c +++ b/src/network/networkd-network.c @@ -506,7 +506,7 @@ int network_load(Manager *manager) { STRV_FOREACH(f, files) { r = network_load_one(manager, *f); if (r < 0) - return r; + log_error_errno(r, "Failed to load %s, ignoring: %m", *f); } return 0; |