On June 22, 2018 9:26 PM, Lonnie Abelbeck <[email protected]> wrote:
> How about not supporting direct execution of commands in the config > [Interface] section but rather support an optional path to where a fixed > command (ex. wireguard.script) is found... > > > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > ActionScriptDir = /usr/local/bin > -------------------------------- > > Then instead of executing the PostUp/PostDown/PreUp/PreDown data, the > wg-quick script would call: > > > ----------------------------------------------------------------------------------------------------- > > /usr/local/bin/wireguard.script PRE_UP|PRE_DOWN|POST_UP|POST_DOWN "$INTERFACE" > ------------------------------------------------------------------------------ > > 1. When called, the first argument would be one of: > PRE_UP|PRE_DOWN|POST_UP|POST_DOWN > 2. When called, the second argument would be the wireguard interface. > 3. If ActionScriptDir is not defined, then wireguard.script is not called. > > This requires an extra step to be taken to create a wireguard.script file > with execute permissions and possibly require specific ownership. > > Lonnie > But attacker will helpfully provide you customized 'wireguard.script' as well and even tell you how to use it by setting 'chmod 4777 wireguard.script'. Jordan _______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
