From 327d999ca27595a76f023ab3b89941da25fc147b Mon Sep 17 00:00:00 2001 From: oddlama Date: Sun, 8 May 2022 19:33:40 +0200 Subject: [PATCH] Improve warnings about ddclient.conf permissions. (fixes #348) The new code will always warn if ddclient.conf is accessible by others, warn if it is owned by ddclient and accessible by the group, and otherwise warn if it is writable but not owned by ddclient. This primarily allows two permission modes for ddclient.conf: First, the classic `ddclient:ddclient mode 0600` as well as the more restrictive `root:ddclient mode 0640` which previously warned unnecessarily. --- ddclient.in | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/ddclient.in b/ddclient.in index 7b7359c..e5675f9 100755 --- a/ddclient.in +++ b/ddclient.in @@ -1412,14 +1412,21 @@ sub _read_config { if (!open(FD, "< $file")) { warning("Cannot open file '%s'. (%s)", $file, $!); } - # Check for only owner has any access to config file + + # If file is owned by our effective uid, ensure that it has no access for group or others. + # Otherwise, require that it isn't writable when not owned by us. For example allow it to + # be owned by root:ddclient with mode 640. Always ensure that it is not accessible to others. my ($dev, $ino, $mode, @statrest) = stat(FD); - if ($mode & 077) { + if ($mode & 077 && -o FD) { if (-f FD && (chmod 0600, $file)) { - warning("file %s must be accessible only by its owner (fixed).", $file); - } else { - warning("file %s must be accessible only by its owner.", $file); + warning("file $file must be accessible only by its owner (fixed)."); } + warning("file $file must be accessible only by its owner."); + } elsif (! -o FD && -w FD) { + warning("file $file should be owned only by ddclient or not be writable."); + } + if ($mode & 07) { + warning("file $file must not be accessible by others."); } local $lineno = 0;