[Touch-packages] [Bug 2091987] Re: group and mode of /etc/wireguard incompatible with systemd

[Nick Rosbrook]

** Changed in: systemd (Ubuntu Noble)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2091987

Title:
  group and mode of /etc/wireguard incompatible with systemd

Status in systemd package in Ubuntu:
  Fix Released
Status in wireguard package in Ubuntu:
  Expired
Status in systemd source package in Noble:
  Incomplete
Status in wireguard source package in Noble:
  Invalid
Status in systemd source package in Oracular:
  Fix Released
Status in wireguard source package in Oracular:
  Invalid
Status in systemd source package in Plucky:
  Fix Released
Status in wireguard source package in Plucky:
  Expired

Bug description:
  Hi,

  there's two different methods to get wireguard tunnels up:

  - wg-quick and the systemd service template for it

  - as a systemd netdev device ( see man systemd.netdev )

  
  The latter has some advantages, e.g. better integration into systemd and the 
ability to read the secret key from a file instead of directly entering the key 
into the file. And, since systemd version 256 (unfortunately, ubuntu 24.04 
comes with 255) it can have secret en- and decrypted by systemd, optionally 
using the TPM. 

  But the systemd method requires both the /etc/wireguard directory and
  the key files (usually in this directory) to be readable for the
  systemd-network.


  Therefore, /etc/wireguard should be set to group systemd-network and
  mode 2750 (set gid to automatically make files readabyle for networkd

  _if_  , and I do stress, _if_ it is supposed to work with
  systemd.netdev under ubuntu. Opening file permissions always can
  weaken security.

  ProblemType: Bug
  DistroRelease: Ubuntu 24.04
  Package: wireguard 1.0.20210914-1ubuntu4
  ProcVersionSignature: Ubuntu 6.8.0-50.51-generic 6.8.12
  Uname: Linux 6.8.0-50-generic x86_64
  ApportVersion: 2.28.1-0ubuntu3.3
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CloudArchitecture: x86_64
  CloudID: hetzner
  CloudName: hetzner
  CloudPlatform: hetzner
  CloudSubPlatform: metadata (http://169.254.169.254/hetzner/v1/metadata)
  Date: Wed Dec 18 01:51:07 2024
  PackageArchitecture: all
  SourcePackage: wireguard
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2091987/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp