[Bug 2091987] Re: group and mode of /etc/wireguard incompatible with systemd
Lukas Märdian
2091987 at bugs.launchpad.net
Mon Mar 31 11:18:32 UTC 2025
No, Ubuntu does not backport major systemd versions to stable LTS. This
would have a huge impact on the reliability of the stable release..
Should we be able to identify the specific commits/changes in systemd
256/257 that fixed this behavior, we could request those to be included
and tested in a future systemd SRU, though.
Let me add some systemd SRU tasks to this bug report. Feel free to help
identifying the relevant changes.
** Also affects: systemd (Ubuntu)
Importance: Undecided
Status: New
** Also affects: systemd (Ubuntu Plucky)
Importance: Undecided
Status: New
** Also affects: wireguard (Ubuntu Plucky)
Importance: Undecided
Status: Expired
** Also affects: systemd (Ubuntu Noble)
Importance: Undecided
Status: New
** Also affects: wireguard (Ubuntu Noble)
Importance: Undecided
Status: New
** Also affects: systemd (Ubuntu Oracular)
Importance: Undecided
Status: New
** Also affects: wireguard (Ubuntu Oracular)
Importance: Undecided
Status: New
** Changed in: wireguard (Ubuntu Oracular)
Status: New => Invalid
** Changed in: wireguard (Ubuntu Noble)
Status: New => Invalid
** Changed in: systemd (Ubuntu Plucky)
Status: New => Fix Released
** Changed in: systemd (Ubuntu Oracular)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2091987
Title:
group and mode of /etc/wireguard incompatible with systemd
Status in systemd package in Ubuntu:
Fix Released
Status in wireguard package in Ubuntu:
Expired
Status in systemd source package in Noble:
New
Status in wireguard source package in Noble:
Invalid
Status in systemd source package in Oracular:
Fix Released
Status in wireguard source package in Oracular:
Invalid
Status in systemd source package in Plucky:
Fix Released
Status in wireguard source package in Plucky:
Expired
Bug description:
Hi,
there's two different methods to get wireguard tunnels up:
- wg-quick and the systemd service template for it
- as a systemd netdev device ( see man systemd.netdev )
The latter has some advantages, e.g. better integration into systemd and the ability to read the secret key from a file instead of directly entering the key into the file. And, since systemd version 256 (unfortunately, ubuntu 24.04 comes with 255) it can have secret en- and decrypted by systemd, optionally using the TPM.
But the systemd method requires both the /etc/wireguard directory and
the key files (usually in this directory) to be readable for the
systemd-network.
Therefore, /etc/wireguard should be set to group systemd-network and
mode 2750 (set gid to automatically make files readabyle for networkd
_if_ , and I do stress, _if_ it is supposed to work with
systemd.netdev under ubuntu. Opening file permissions always can
weaken security.
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: wireguard 1.0.20210914-1ubuntu4
ProcVersionSignature: Ubuntu 6.8.0-50.51-generic 6.8.12
Uname: Linux 6.8.0-50-generic x86_64
ApportVersion: 2.28.1-0ubuntu3.3
Architecture: amd64
CasperMD5CheckResult: unknown
CloudArchitecture: x86_64
CloudID: hetzner
CloudName: hetzner
CloudPlatform: hetzner
CloudSubPlatform: metadata (http://169.254.169.254/hetzner/v1/metadata)
Date: Wed Dec 18 01:51:07 2024
PackageArchitecture: all
SourcePackage: wireguard
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2091987/+subscriptions
More information about the foundations-bugs
mailing list