Merge pull request #13526 from yuwata/network-check-access-mode-of-key-file

network: check access mode of key file
2019-09-12 12:02:28 +09:00 · 2019-09-12 12:02:28 +09:00 · 7d79cc96ea
parent 26fe3af8ae be7110826e
commit 7d79cc96ea
5 changed files with 8 additions and 4 deletions
--- a/src/basic/fileio.c
+++ b/src/basic/fileio.c
@ -930,10 +930,10 @@ int warn_file_is_world_accessible(const char *filename, struct stat *st, const c

        if (unit)
                log_syntax(unit, LOG_WARNING, filename, line, 0,
-                           "%s has %04o mode that is too permissive, please adjust the access mode.",
+                           "%s has %04o mode that is too permissive, please adjust the ownership and access mode.",
                           filename, st->st_mode & 07777);
        else
-                log_warning("%s has %04o mode that is too permissive, please adjust the access mode.",
+                log_warning("%s has %04o mode that is too permissive, please adjust the ownership and access mode.",
                            filename, st->st_mode & 07777);
        return 0;
 }
--- a/src/network/netdev/macsec.c
+++ b/src/network/netdev/macsec.c
@ -981,6 +981,8 @@ static int macsec_read_key_file(NetDev *netdev, SecurityAssociation *sa) {
        if (!sa->key_file)
                return 0;

+        (void) warn_file_is_world_accessible(sa->key_file, NULL, NULL, 0);
+
        r = read_full_file_full(sa->key_file, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNHEX, (char **) &key, &key_len);
        if (r < 0)
                return log_netdev_error_errno(netdev, r,
--- a/src/network/netdev/netdev.c
+++ b/src/network/netdev/netdev.c
@ -844,7 +844,7 @@ int netdev_load(Manager *manager) {
        STRV_FOREACH(f, files) {
                r = netdev_load_one(manager, *f);
                if (r < 0)
-                        return r;
+                        log_error_errno(r, "Failed to load %s, ignoring: %m", *f);
        }

        return 0;
--- a/src/network/netdev/wireguard.c
+++ b/src/network/netdev/wireguard.c
@ -901,6 +901,8 @@ static int wireguard_read_key_file(const char *filename, uint8_t dest[static WG_

        assert(dest);

+        (void) warn_file_is_world_accessible(filename, NULL, NULL, 0);
+
        r = read_full_file_full(filename, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNBASE64, &key, &key_len);
        if (r < 0)
                return r;
--- a/src/network/networkd-network.c
+++ b/src/network/networkd-network.c
@ -506,7 +506,7 @@ int network_load(Manager *manager) {
        STRV_FOREACH(f, files) {
                r = network_load_one(manager, *f);
                if (r < 0)
-                        return r;
+                        log_error_errno(r, "Failed to load %s, ignoring: %m", *f);
        }

        return 0;