From f3caeab25418d64309b87a76e4d5f53d011e3f40 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Fri, 28 Aug 2020 10:58:51 +0200 Subject: [PATCH] wg-quick: linux: check for CAP_NET_ADMIN and config file access before auto_su This way people can use wg-quick in situations where they only have CAP_NET_ADMIN but not other capabilities, and are operating on writable files. Suggested-by: Jonny Fillmore Signed-off-by: Jason A. Donenfeld --- src/wg-quick/linux.bash | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/src/wg-quick/linux.bash b/src/wg-quick/linux.bash index e4d4c4f..3a17a4d 100755 --- a/src/wg-quick/linux.bash +++ b/src/wg-quick/linux.bash @@ -81,8 +81,27 @@ read_bool() { esac } +has_cap_net_admin() { + local line + while read -r line; do + [[ $line =~ ^CapEff:\ [0-9a-f]*([0-9a-f])[0-9a-f]{3}$ ]] || continue + (( 0x${BASH_REMATCH[1]} & 1 != 0 )) && return 0 + return 1 + done < /proc/self/status + return 1 +} + +config_file_is_writable() { + local cf="$1" + [[ $cf =~ ^[a-zA-Z0-9_=+.-]{1,15}$ ]] && CONFIG_FILE="/etc/wireguard/$cf.conf" + [[ -w $cf ]] && return 0 + return 1 +} + auto_su() { - [[ $UID == 0 ]] || exec sudo -p "$PROGRAM must be run as root. Please enter the password for %u to continue: " -- "$BASH" -- "$SELF" "${ARGS[@]}" + [[ $UID == 0 ]] && return 0 + has_cap_net_admin && config_file_is_writable "${ARGS[2]}" && return 0 + exec sudo -p "$PROGRAM must be run as root. Please enter the password for %u to continue: " -- "$BASH" -- "$SELF" "${ARGS[@]}" } add_if() {