Lock down individual files in networks.d instead of directory since directory ACLs are more complex on Windows.

2 files changed, 4 insertions, 2 deletions

diff --git a/node/Network.cpp b/node/Network.cpp
index 37f00625..af7623c1 100644
--- a/node/Network.cpp
+++ b/node/Network.cpp
@@ -116,6 +116,8 @@ void Network::setConfiguration(const Dictionary &conf,bool saveToDisk)
 				std::string confPath(_r->homePath + ZT_PATH_SEPARATOR_S + "networks.d" + ZT_PATH_SEPARATOR_S + idString() + ".conf");
 				if (!Utils::writeFile(confPath.c_str(),conf.toString())) {
 					LOG("error: unable to write network configuration file at: %s",confPath.c_str());
+				} else {
+					Utils::lockDownFile(confPath.c_str(),false);
 				}
 			}
 		} else {
@@ -368,6 +370,7 @@ void Network::_dumpMulticastCerts()
 	}
 
 	fclose(mcdb);
+	Utils::lockDownFile(mcdbPath.c_str(),false);
 }
 
 } // namespace ZeroTier
diff --git a/node/Node.cpp b/node/Node.cpp
index e55cad04..25c08067 100644
--- a/node/Node.cpp
+++ b/node/Node.cpp
@@ -419,7 +419,7 @@ Node::ReasonForTermination Node::run()
 		}
 		Utils::lockDownFile(identitySecretPath.c_str(),false);
 
-		// Make sure networks.d exists and is secure
+		// Make sure networks.d exists
 		{
 			std::string networksDotD(_r->homePath + ZT_PATH_SEPARATOR_S + "networks.d");
 #ifdef __WINDOWS__
@@ -427,7 +427,6 @@ Node::ReasonForTermination Node::run()
 #else
 			mkdir(networksDotD.c_str(),0700);
 #endif
-			Utils::lockDownFile(networksDotD.c_str(),true);
 		}
 
 		// Load or generate config authentication secret