Package: wireguard-tools
Version: 0.0.20180625-1
Severity: normal

When installing wireguard-tools, the /etc/wireguard directory is created
that can contain configuration files for the wg-quick service to use.

These configuration files will contain the private key of the local
machine for the VPN configuration, and as such, the default mode (755)
for the directory is unsuitable for production use, since it creates an
opportunity for any user to be able to print out the contents of the
configuration files (if they were not changed to mode 600 themselves),
and potentially break the security model of the Wireguard VPN altogether.

I propose changing the default mode of the /etc/wireguard directory to 600.
I do this on my own machines and there is no functionality impact for the
software, only that the private keys become completely inaccessible for
anyone but root.

Reply via email to