fix: permissions for wireguard dir

parfenovvs · parfenovvs · commit 774b5491935a · 2025-12-12T17:21:17.000+02:00
diff --git a/README.md b/README.md
@@ -60,14 +60,14 @@ View available servers and locations:
 
 ### Connection Management
 
-Connect to a server:
-`sudo mbvpn connect <server>` (or the shorthand `sudo mbvpn c <server>`)
+Connect to a server (will request sudo password when needed):
+`mbvpn connect <server>` (or the shorthand `mbvpn c <server>`)
 
-Disconnect from VPN:
-`sudo mbvpn disconnect` (or the shorthand `sudo mbvpn d`)
+Disconnect from VPN (will request sudo password when needed):
+`mbvpn disconnect` (or the shorthand `mbvpn d`)
 
-Check connection status:
-`sudo mbvpn status`
+Check connection status (will request sudo password when needed):
+`mbvpn status`
 
 End your session:
 `mbvpn logout`
@@ -82,7 +82,7 @@ The `mbvpn logout` command deactivates your device (makes the license seat free)
 
 ### Cannot disconnect, lost internet access
 
-Use `sudo mbvpn disconnect` (without specifying a server). The tool will attempt to disconnect from all WireGuard connections.
+Use `mbvpn disconnect` (without specifying a server). The tool will attempt to disconnect from all WireGuard connections (will request sudo password when needed).
 
 If that doesn't help, manually disconnect using WireGuard directly:
 1. Find your connection: `wg show`
diff --git a/pkg/console/console.go b/pkg/console/console.go
@@ -89,16 +89,6 @@ func sanitizeWgConfigPath(cfgPath string, dirProvider config.DirectoryProvider)
 		return "", fmt.Errorf("failed to resolve absolute path: %w", err)
 	}
 
-	// Verify the file exists and is a regular file
-	fileInfo, err := os.Stat(absPath)
-	if err != nil {
-		return "", fmt.Errorf("config file not accessible: %w", err)
-	}
-
-	if !fileInfo.Mode().IsRegular() {
-		return "", fmt.Errorf("config path is not a regular file")
-	}
-
 	// Check if it's within the expected config directory OR system wireguard directory
 	expectedBase, err := dirProvider.GetServersDir()
 	if err != nil {
@@ -111,10 +101,28 @@ func sanitizeWgConfigPath(cfgPath string, dirProvider config.DirectoryProvider)
 	}
 
 	// Path must be in either user config directory or system wireguard directory
-	if !strings.HasPrefix(absPath, expectedBase) && !strings.HasPrefix(absPath, wireguardBase) {
+	inUserDir := strings.HasPrefix(absPath, expectedBase)
+	inSystemDir := strings.HasPrefix(absPath, wireguardBase)
+
+	if !inUserDir && !inSystemDir {
 		return "", fmt.Errorf("config file must be within %s or %s", expectedBase, wireguardBase)
 	}
 
+	// Verify the file exists and is a regular file
+	// For system directory (/etc/wireguard), skip this check as regular users
+	// may not have permission to stat root-owned files with 0600 permissions.
+	// wg-quick will run with sudo and can access them.
+	if inUserDir {
+		fileInfo, err := os.Stat(absPath)
+		if err != nil {
+			return "", fmt.Errorf("config file not accessible: %w", err)
+		}
+
+		if !fileInfo.Mode().IsRegular() {
+			return "", fmt.Errorf("config path is not a regular file")
+		}
+	}
+
 	// Verify file extension (WireGuard configs must be .conf)
 	if filepath.Ext(absPath) != ".conf" {
 		return "", fmt.Errorf("config file must have .conf extension")
diff --git a/pkg/vpn/vpn.go b/pkg/vpn/vpn.go
@@ -3,6 +3,7 @@ package vpn
 import (
 	"fmt"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"strings"
 
@@ -426,28 +427,54 @@ func (vpn *DefaultVpn) saveWgConfig(serverName string, configContent string) (st
 }
 
 // copyConfigToSystem copies a config file from user directory to /etc/wireguard
-// This requires sudo permissions and is called during connection operations.
+// Uses sudo for operations requiring elevated privileges in production.
+// In test environments, uses direct file operations.
 func (vpn *DefaultVpn) copyConfigToSystem(userConfigPath, serverName string) (string, error) {
 	wireguardDir, err := vpn.dirProvider.GetWireguardDir()
 	if err != nil {
 		return "", fmt.Errorf("failed to get wireguard directory: %w", err)
 	}
 
-	// Ensure /etc/wireguard exists with proper permissions
-	if err := os.MkdirAll(wireguardDir, 0o700); err != nil {
-		return "", fmt.Errorf("failed to create wireguard directory: %w", err)
-	}
+	systemPath := filepath.Join(wireguardDir, serverName+".conf")
 
-	// Read source config
-	configData, err := os.ReadFile(userConfigPath)
-	if err != nil {
-		return "", fmt.Errorf("failed to read config: %w", err)
-	}
+	// Detect test environment (same logic as GetWireguardDir)
+	isTestEnv := strings.Contains(wireguardDir, os.TempDir())
 
-	// Write to system location
-	systemPath := filepath.Join(wireguardDir, serverName+".conf")
-	if err := os.WriteFile(systemPath, configData, 0o600); err != nil {
-		return "", fmt.Errorf("failed to write system config: %w", err)
+	if isTestEnv {
+		// Test environment - use direct file operations
+		if err := os.MkdirAll(wireguardDir, 0o700); err != nil {
+			return "", fmt.Errorf("failed to create wireguard directory: %w", err)
+		}
+
+		configData, err := os.ReadFile(userConfigPath)
+		if err != nil {
+			return "", fmt.Errorf("failed to read config: %w", err)
+		}
+
+		if err := os.WriteFile(systemPath, configData, 0o600); err != nil {
+			return "", fmt.Errorf("failed to write system config: %w", err)
+		}
+	} else {
+		// Production environment - use sudo commands
+		cmd := exec.Command("sudo", "mkdir", "-p", wireguardDir)
+		if err := cmd.Run(); err != nil {
+			return "", fmt.Errorf("failed to create wireguard directory: %w", err)
+		}
+
+		cmd = exec.Command("sudo", "chmod", "700", wireguardDir)
+		if err := cmd.Run(); err != nil {
+			return "", fmt.Errorf("failed to set directory permissions: %w", err)
+		}
+
+		cmd = exec.Command("sudo", "cp", userConfigPath, systemPath)
+		if err := cmd.Run(); err != nil {
+			return "", fmt.Errorf("failed to copy config to system: %w", err)
+		}
+
+		cmd = exec.Command("sudo", "chmod", "600", systemPath)
+		if err := cmd.Run(); err != nil {
+			return "", fmt.Errorf("failed to set config file permissions: %w", err)
+		}
 	}
 
 	return systemPath, nil
