Hi, To be sure I don't accidentally overwrite the passphrase files, I'd like to make them read only. The current code expects them to be readable and writable. I took the new code from ssh (sshkey_perm_ok function).
While there, I changed the error message (also based on ssh) so the user has a better idea of what the program wants. Index: bioctl.c =================================================================== RCS file: /cvs/src/sbin/bioctl/bioctl.c,v retrieving revision 1.144 diff -u -p -r1.144 bioctl.c --- bioctl.c 25 Apr 2020 14:37:43 -0000 1.144 +++ bioctl.c 1 Jun 2020 22:10:31 -0000 @@ -1328,8 +1328,8 @@ derive_key(u_int32_t type, int rounds, u err(1, "can't stat passphrase file"); if (sb.st_uid != 0) errx(1, "passphrase file must be owned by root"); - if ((sb.st_mode & ~S_IFMT) != (S_IRUSR | S_IWUSR)) - errx(1, "passphrase file has the wrong permissions"); + if ((sb.st_mode & 077) != 0) + errx(1, "passphrase file must not be accessible by others"); if (fgets(passphrase, sizeof(passphrase), f) == NULL) err(1, "can't read passphrase file"); Cheers, Daniel