Bug 253813 - net/wireguard: should depend on security/sudo
Summary: net/wireguard: should depend on security/sudo
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Bernhard Froehlich
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-24 12:51 UTC by Alexey Vyskubov
Modified: 2023-10-30 12:09 UTC (History)
7 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Vyskubov 2021-02-24 12:51:21 UTC
net/wireguard install wg-quick script, which uses sudo here:

auto_su() {
        [[ $UID == 0 ]] || exec sudo -p "$PROGRAM must be run as root. Please enter the password for %u to continue: " -- "$BASH" -- "$SELF" "${ARGS[@]}"
}
Comment 1 Bernhard Froehlich freebsd_committer freebsd_triage 2021-02-24 14:18:43 UTC
In my opinion this auto_su function should first check if sudo is available and just exit with an error if not. Depending on sudo does not sound like a good idea to me considering their security record.

The wg-quick for openbsd also supports runas which we have in ports.

Feel free to create a patch for this but I won't have time myself in the next couple of weeks.
Comment 2 Alexey Vyskubov 2021-03-01 15:49:41 UTC
(In reply to Bernhard Froehlich from comment #1)

Should rather be the whole `auto_su()` functionality to be removed, replaced by an error message? There are multiple ways to get root privileges; there are at least sudo, doas and calife in ports. There's probably no point in trying to support every one of those?

Moreover, even having sudo or doas installed doesn't mean the current user can successfully run things as root with their help...

Any comments?

(I'll do the patch, let's just agree on what to do.)
Comment 3 Bernhard Froehlich freebsd_committer freebsd_triage 2021-03-01 15:56:48 UTC
The upstream code is here:
https://git.zx2c4.com/wireguard-tools/tree/src/wg-quick

As you can see this auto_su functionality is available on all platforms so I will talk to upstream first and ask for their opinion before we start to patch it.
Comment 4 Jason A. Donenfeld 2021-04-17 23:46:28 UTC
What is more popular? doas or sudo?
Comment 5 Christos Chatzaras 2021-04-18 08:20:16 UTC
(In reply to Jason A. Donenfeld from comment #4)

Personally I use sudo.
Comment 6 Christos Chatzaras 2021-04-18 08:31:27 UTC
(In reply to Jason A. Donenfeld from comment #4)

But I run it as root so no sudo is needed for my cases.
Comment 7 Alexey Vyskubov 2023-03-05 16:54:46 UTC
Any news from upstream?
Comment 8 crest 2023-10-30 12:09:30 UTC
Has anyone reported this (with preferably with a patch) upstream to wg-quick? Given that they want to be a "managed" frontend for WireGuard it would make sense to search for sudo, runas, su in that order until one exists is found, try it, and report an error if it fails.