The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=cba525e53bf5bfc95c5a66ad4fae1d16f8135e08
commit cba525e53bf5bfc95c5a66ad4fae1d16f8135e08
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-02-11 10:14:14 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-02-14 17:47:53 +0000
pfctl: relax the cfg file secrecy check slightly to allow group readability
default permissions and mtree NOT changed.
prodded by benno, ok phessler benno jmatthew theo pelikan florian
Obtained from: OpenBSD, henning <henn...@openbsd.org>, 7140c133f0
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sbin/pfctl/parse.y | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index b370cbc463ae..522d2a910de7 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -6917,8 +6917,8 @@ check_file_secrecy(int fd, const char *fname)
warnx("%s: owner not root or current user", fname);
return (-1);
}
- if (st.st_mode & (S_IRWXG | S_IRWXO)) {
- warnx("%s: group/world readable/writeable", fname);
+ if (st.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO)) {
+ warnx("%s: group writable or world read/writable", fname);
return (-1);
}
return (0);
