aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--dist/systemd/wgconfd@.service2
-rw-r--r--src/manager.rs12
2 files changed, 13 insertions, 1 deletions
diff --git a/dist/systemd/wgconfd@.service b/dist/systemd/wgconfd@.service
index 85acb13..3b85809 100644
--- a/dist/systemd/wgconfd@.service
+++ b/dist/systemd/wgconfd@.service
@@ -10,8 +10,10 @@ CapabilityBoundingSet=CAP_NET_ADMIN
Restart=on-failure
RestartSec=0
RuntimeDirectory=wgconfd/%i
+RuntimeDirectoryMode=0700
RuntimeDirectoryPreserve=yes
CacheDirectory=wgconfd/%i
+CacheDirectoryMode=0700
ExecStart=/usr/bin/env wgconfd %i /etc/wireguard/%i.toml
StandardError=journal
SyslogLevelPrefix=true
diff --git a/src/manager.rs b/src/manager.rs
index 87175dc..3f487bf 100644
--- a/src/manager.rs
+++ b/src/manager.rs
@@ -4,6 +4,8 @@
use crate::{builder, config, model, proto, wg};
use std::ffi::{OsStr, OsString};
+#[cfg(unix)]
+use std::os::unix::fs::OpenOptionsExt;
use std::path::{Path, PathBuf};
use std::time::{Duration, Instant, SystemTime};
use std::{fs, io};
@@ -26,7 +28,15 @@ fn update_file(path: &Path, data: &[u8]) -> io::Result<()> {
tmp_path.push(".tmp");
let tmp_path = PathBuf::from(tmp_path);
- let mut file = fs::File::create(&tmp_path)?;
+ let mut file = {
+ let mut file = fs::OpenOptions::new();
+ file.append(true);
+ file.create_new(true);
+ #[cfg(unix)]
+ file.mode(0o0600);
+ file.open(&tmp_path)?
+ };
+
let r = io::Write::write_all(&mut file, data)
.and_then(|_| file.sync_data())
.and_then(|_| fs::rename(&tmp_path, &path));