From cba525e53bf5bfc95c5a66ad4fae1d16f8135e08 Mon Sep 17 00:00:00 2001
From: Kristof Provost <kp@FreeBSD.org>
Date: Tue, 11 Feb 2025 11:14:14 +0100
Subject: [PATCH] pfctl: relax the cfg file secrecy check slightly to allow
 group readability

default permissions and mtree NOT changed.
prodded by benno, ok phessler benno jmatthew theo pelikan florian

Obtained from:	OpenBSD, henning <henning@openbsd.org>, 7140c133f0
Sponsored by:	Rubicon Communications, LLC ("Netgate")
---
 sbin/pfctl/parse.y | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index b370cbc463a..522d2a910de 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -6917,8 +6917,8 @@ check_file_secrecy(int fd, const char *fname)
 		warnx("%s: owner not root or current user", fname);
 		return (-1);
 	}
-	if (st.st_mode & (S_IRWXG | S_IRWXO)) {
-		warnx("%s: group/world readable/writeable", fname);
+	if (st.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO)) {
+		warnx("%s: group writable or world read/writable", fname);
 		return (-1);
 	}
 	return (0);