Fixes pentest issue DG25-27 from 2025-09-02

nix/package.nix

@@ -35,6 +35,7 @@
     webkitgtk_4_1
     openssl
     libayatana-appindicator
+    desktop-file-utils
   ];
 
   nativeBuildInputs = with pkgs; [

resources-linux/defguard-service.service

@@ -5,6 +5,7 @@ Wants=network-online.target
 After=network-online.target
 
 [Service]
+Group=defguard
 ExecReload=/bin/kill -HUP $MAINPID
 ExecStart=/usr/sbin/defguard-service
 KillMode=process

resources-linux/postinst

@@ -1,3 +1,70 @@
-systemctl daemon-reload
-systemctl enable defguard-service
-systemctl start defguard-service
+#!/bin/sh
+set -e
+
+GROUP_NAME="defguard"
+SERVICE_NAME="defguard-service"
+
+case "$1" in
+    configure)
+        # Create the group if it doesn't exist
+        if ! getent group "$GROUP_NAME" >/dev/null; then
+            addgroup --system "$GROUP_NAME"
+            echo "Created group $GROUP_NAME"
+        fi
+
+        # Determine target user
+        TARGET_USER=""
+        if [ -n "$SUDO_USER" ] && [ "$SUDO_USER" != "root" ]; then
+            TARGET_USER="$SUDO_USER"
+        elif [ -n "$USER" ] && [ "$USER" != "root" ]; then
+            TARGET_USER="$USER"
+        fi
+
+        # Add user to group if we found a valid target
+        if [ -n "$TARGET_USER" ]; then
+            if getent passwd "$TARGET_USER" >/dev/null; then
+                # Try to add user to group and check if it succeeded
+                if usermod -a -G "$GROUP_NAME" "$TARGET_USER"; then
+                    echo "Added user $TARGET_USER to group $GROUP_NAME"
+
+                    # Only show reboot message if user was actually added
+                    echo "================================================"
+                    echo "  IMPORTANT: Reboot or Re-login Required"
+                    echo "================================================"
+                    echo "The user has been added to the defguard group."
+                    echo "Please reboot or log out and back in for the"
+                    echo "group membership changes to take effect."
+                    echo "================================================"
+                else
+                    echo "Warning: Failed to add user $TARGET_USER to group $GROUP_NAME"
+                    exit 1
+                fi
+            fi
+        fi
+
+        # Handle systemd service
+        if [ -d /run/systemd/system ]; then
+            # Reload systemd to recognize new service file
+            systemctl daemon-reload
+
+            # Enable service to start on boot
+            systemctl enable "$SERVICE_NAME"
+
+            # Start the service now
+            systemctl start "$SERVICE_NAME"
+        fi
+        ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+        # On failed operations, ensure service is running if it should be
+        if [ -d /run/systemd/system ]; then
+            systemctl daemon-reload
+            if systemctl is-enabled "$SERVICE_NAME" >/dev/null 2>&1; then
+                systemctl start "$SERVICE_NAME" || true
+            fi
+        fi
+        ;;
+esac
+
+#DEBHELPER#
+

resources-linux/postrm

@@ -1 +1,24 @@
-systemctl daemon-reload
+#!/bin/sh
+set -e
+
+GROUP_NAME="defguard"
+SERVICE_NAME="defguard-service"
+
+case "$1" in
+    remove)
+        # Service file still exists, just disable it
+        if [ -d /run/systemd/system ]; then
+            systemctl disable "$SERVICE_NAME" || true
+            systemctl daemon-reload
+        fi
+        ;;
+
+    purge)
+        # Complete removal - clean up group too
+        if getent group "$GROUP_NAME" >/dev/null; then
+            delgroup "$GROUP_NAME" || true
+        fi
+        ;;
+esac
+
+#DEBHELPER#

resources-linux/prerm

@@ -1,2 +1,15 @@
-systemctl stop defguard-service
-systemctl disable defguard-service
+#!/bin/sh
+set -e
+
+SERVICE_NAME="defguard-service"
+
+case "$1" in
+    remove|upgrade|deconfigure)
+        if [ -d /run/systemd/system ]; then
+            # Stop the service before removal/upgrade
+            systemctl stop "$SERVICE_NAME" || true
+        fi
+        ;;
+esac
+
+#DEBHELPER#

src-tauri/Cargo.toml

@@ -102,6 +102,7 @@ semver = "1.0.26"
 tokio-stream = "0.1"
 tower = "0.5"
 hyper-util = "0.1"
+nix = { version = "0.30.1", features = ["user", "fs"] }
 
 [target.'cfg(windows)'.dependencies]
 winapi = { version = "0.3", features = ["winsvc", "winerror"] }

src-tauri/resources-macos/resources/net.defguard.plist

@@ -16,5 +16,7 @@ http://www.apple.com/DTDs/PropertyList-1.0.dtd >
     <true/>
     <key>RunAtLoad</key>
     <true/>
+    <key>GroupName</key>
+    <string>staff</string>
 </dict>
 </plist>

src-tauri/src/service/mod.rs

@@ -15,6 +15,8 @@ use std::{
     str::FromStr,
     time::{Duration, SystemTime, UNIX_EPOCH},
 };
+#[cfg(unix)]
+use std::{fs, os::unix::fs::PermissionsExt, path::Path};
 
 #[cfg(not(target_os = "macos"))]
 use defguard_wireguard_rs::Kernel;
@@ -27,12 +29,12 @@ use defguard_wireguard_rs::{
     net::IpAddrMask,
     InterfaceConfiguration, WGApi, WireguardInterfaceApi,
 };
+#[cfg(unix)]
+use nix::unistd::{chown, Group};
 use proto::{
     desktop_daemon_service_server::{DesktopDaemonService, DesktopDaemonServiceServer},
     CreateInterfaceRequest, InterfaceData, ReadInterfaceDataRequest, RemoveInterfaceRequest,
 };
-#[cfg(unix)]
-use std::{fs, os::unix::fs::PermissionsExt, path::Path};
 use thiserror::Error;
 #[cfg(unix)]
 use tokio::net::UnixListener;
@@ -48,6 +50,7 @@ use tracing::{debug, error, info, info_span, Instrument};
 
 use self::config::Config;
 use super::VERSION;
+use crate::error::Error;
 
 #[cfg(windows)]
 const DAEMON_HTTP_PORT: u16 = 54127;
@@ -57,6 +60,12 @@ pub(super) const DAEMON_BASE_URL: &str = "http://localhost:54127";
 #[cfg(unix)]
 pub(super) const DAEMON_SOCKET_PATH: &str = "/var/run/defguard.socket";
 
+#[cfg(target_os = "macos")]
+pub(super) const DAEMON_SOCKET_GROUP: &str = "staff";
+
+#[cfg(target_os = "linux")]
+pub(super) const DAEMON_SOCKET_GROUP: &str = "defguard";
+
 #[derive(Error, Debug)]
 pub enum DaemonError {
     #[error(transparent)]
@@ -349,9 +358,19 @@ pub async fn run_server(config: Config) -> anyhow::Result<()> {
 
     let uds = UnixListener::bind(DAEMON_SOCKET_PATH)?;
 
+    // change owner group for socket file
+    // get the group ID by name
+    let group = Group::from_name(DAEMON_SOCKET_GROUP)?.ok_or_else(|| {
+        error!("Group '{}' not found", DAEMON_SOCKET_GROUP);
+        Error::InternalError(format!("Group '{}' not found", DAEMON_SOCKET_GROUP))
+    })?;
+
+    // change ownership - keep current user, change group
+    chown(DAEMON_SOCKET_PATH, None, Some(group.gid))?;
+
     // Set socket permissions to allow client access
-    // 0o666 allows read/write for owner, group, and others
-    fs::set_permissions(DAEMON_SOCKET_PATH, fs::Permissions::from_mode(0o666))?;
+    // 0o660 allows read/write for owner and group only
+    fs::set_permissions(DAEMON_SOCKET_PATH, fs::Permissions::from_mode(0o660))?;
 
     let uds_stream = UnixListenerStream::new(uds);
 

src-tauri/tauri.conf.json

@@ -35,7 +35,6 @@
         ]
       }
     },
-    "longDescription": "Defguard desktop client.",
     "macOS": {
       "entitlements": null,
       "exceptionDomain": "",
@@ -46,7 +45,8 @@
     "resources": [
       "resources/icons/*"
     ],
-    "shortDescription": "",
+    "shortDescription": "Defguard desktop client",
+    "longDescription": "Defguard desktop client",
     "linux": {
       "deb": {
         "files": {
@@ -107,4 +107,4 @@
       }
     }
   }
-}
+}

src-tauri/tauri.linux.conf.json

@@ -0,0 +1,5 @@
+{
+  "bundle": {
+    "longDescription": "IMPORTANT: Reboot or Re-login Required\nOn initial install the user is added to the defguard group.\nA reboot or logging out and back in is required for group membership changes to take effect.\nThis is not required on subsequent updates."
+  }
+}