vyos.util: introduce chmod_750() for files/directories

2 files changed, 10 insertions, 3 deletions

diff --git a/python/vyos/util.py b/python/vyos/util.py
index f1fb5ce27..385dc73df 100644
--- a/python/vyos/util.py
+++ b/python/vyos/util.py
@@ -103,6 +103,14 @@ def chown(path, user, group):
         gid = getgrnam(group).gr_gid
         os.chown(path, uid, gid)
 
+def chmod_750(path):
+    """ make file/directory only executable to user and group """
+    from stat import S_IRUSR, S_IWUSR, S_IXUSR, S_IRGRP, S_IXGRP
+
+    if os.path.exists(path):
+        bitmask = S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP
+        os.chmod(path, bitmask)
+
 
 def chmod_x(path):
     """ make file executable """
diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py
index e9d9ad459..8e80a85a2 100755
--- a/src/conf_mode/interfaces-wireguard.py
+++ b/src/conf_mode/interfaces-wireguard.py
@@ -24,7 +24,7 @@ from netifaces import interfaces
 from vyos.config import Config
 from vyos.configdict import list_diff
 from vyos.ifconfig import WireGuardIf
-from vyos.util import chown, run, is_bridge_member
+from vyos.util import chown, run, is_bridge_member, chmod_750
 from vyos import ConfigError
 
 kdir = r'/config/auth/wireguard'
@@ -60,8 +60,7 @@ def _migrate_default_keys():
             os.makedirs(location)
 
         chown(location, 'root', 'vyattacfg')
-        run(f'sudo chmod 750 {location}')
-
+        chmod_750(location)
         os.rename(f'{kdir}/private.key', f'{location}/private.key')
         os.rename(f'{kdir}/public.key', f'{location}/public.key')