From 0b559bb54fe436ba9485b128460fb98b6408f004 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Tue, 20 Feb 2024 02:11:03 +0100 Subject: [PATCH] Warn if the main config file could be written by other system users --- dnscrypt-proxy/common.go | 31 +++++++++++++++++++++++++++++++ dnscrypt-proxy/config.go | 1 + 2 files changed, 32 insertions(+) diff --git a/dnscrypt-proxy/common.go b/dnscrypt-proxy/common.go index 499f0b0b..a1c50659 100644 --- a/dnscrypt-proxy/common.go +++ b/dnscrypt-proxy/common.go @@ -6,9 +6,12 @@ import ( "errors" "net" "os" + "path" "strconv" "strings" "unicode" + + "github.com/jedisct1/dlog" ) type CryptoConstruction uint16 @@ -162,3 +165,31 @@ func ReadTextFile(filename string) (string, error) { bin = bytes.TrimPrefix(bin, []byte{0xef, 0xbb, 0xbf}) return string(bin), nil } + +func maybeWritableByOtherUsers(p string) (bool, string, error) { + p = path.Clean(p) + for p != "/" && p != "." { + st, err := os.Stat(p) + if err != nil { + return false, p, err + } + mode := st.Mode() + if mode&2 == 2 && !(st.IsDir() && mode&01000 == 01000) { + return true, p, nil + } + p = path.Dir(p) + } + return false, "", nil +} + +func WarnIfMaybeWritableByOtherUsers(p string) { + if ok, px, err := maybeWritableByOtherUsers(p); ok { + if px == p { + dlog.Criticalf("[%s] is writable by other system users - If this is not intentional, it is recommended to fix the access permissions", p) + } else { + dlog.Warnf("[%s] can be modified by other system users because [%s] is writable by other users - If this is not intentional, it is recommended to fix the access permissions", p, px) + } + } else if err != nil { + dlog.Warnf("Error while checking if [%s] is accessible: [%s] : [%s]", p, px, err) + } +} diff --git a/dnscrypt-proxy/config.go b/dnscrypt-proxy/config.go index 7b73c181..7b5eeb3c 100644 --- a/dnscrypt-proxy/config.go +++ b/dnscrypt-proxy/config.go @@ -326,6 +326,7 @@ func ConfigLoad(proxy *Proxy, flags *ConfigFlags) error { *flags.ConfigFile, ) } + WarnIfMaybeWritableByOtherUsers(foundConfigFile) config := newConfig() md, err := toml.DecodeFile(foundConfigFile, &config) if err != nil {