diff options
-rw-r--r-- | dist/systemd/wgconfd@.service | 2 | ||||
-rw-r--r-- | src/manager.rs | 12 |
2 files changed, 13 insertions, 1 deletions
diff --git a/dist/systemd/wgconfd@.service b/dist/systemd/wgconfd@.service index 85acb13..3b85809 100644 --- a/dist/systemd/wgconfd@.service +++ b/dist/systemd/wgconfd@.service @@ -10,8 +10,10 @@ CapabilityBoundingSet=CAP_NET_ADMIN Restart=on-failure RestartSec=0 RuntimeDirectory=wgconfd/%i +RuntimeDirectoryMode=0700 RuntimeDirectoryPreserve=yes CacheDirectory=wgconfd/%i +CacheDirectoryMode=0700 ExecStart=/usr/bin/env wgconfd %i /etc/wireguard/%i.toml StandardError=journal SyslogLevelPrefix=true diff --git a/src/manager.rs b/src/manager.rs index 87175dc..3f487bf 100644 --- a/src/manager.rs +++ b/src/manager.rs @@ -4,6 +4,8 @@ use crate::{builder, config, model, proto, wg}; use std::ffi::{OsStr, OsString}; +#[cfg(unix)] +use std::os::unix::fs::OpenOptionsExt; use std::path::{Path, PathBuf}; use std::time::{Duration, Instant, SystemTime}; use std::{fs, io}; @@ -26,7 +28,15 @@ fn update_file(path: &Path, data: &[u8]) -> io::Result<()> { tmp_path.push(".tmp"); let tmp_path = PathBuf::from(tmp_path); - let mut file = fs::File::create(&tmp_path)?; + let mut file = { + let mut file = fs::OpenOptions::new(); + file.append(true); + file.create_new(true); + #[cfg(unix)] + file.mode(0o0600); + file.open(&tmp_path)? + }; + let r = io::Write::write_all(&mut file, data) .and_then(|_| file.sync_data()) .and_then(|_| fs::rename(&tmp_path, &path)); |