3 files changed, 22 insertions, 0 deletions

diff --git a/src/shared/conf-parser.c b/src/shared/conf-parser.c
index df4e961ea0..d5a639e874 100644
--- a/src/shared/conf-parser.c
+++ b/src/shared/conf-parser.c
@@ -332,6 +332,8 @@ int config_parse(const char *unit,
                 }
         }
 
+        fd_warn_permissions(filename, fileno(f));
+
         while (!feof(f)) {
                 char l[LINE_MAX], *p, *c = NULL, *e;
                 bool escaped = false;
diff --git a/src/shared/util.c b/src/shared/util.c
index aae587243e..f76ed6f563 100644
--- a/src/shared/util.c
+++ b/src/shared/util.c
@@ -6132,3 +6132,21 @@ int open_tmpfile(const char *path, int flags) {
         unlink(p);
         return fd;
 }
+
+int fd_warn_permissions(const char *path, int fd) {
+        struct stat st;
+
+        if (fstat(fd, &st) < 0)
+                return -errno;
+
+        if (st.st_mode & 0111)
+                log_warning("Configuration file %s is marked executable. Please remove executable permission bits. Proceeding anyway.", path);
+
+        if (st.st_mode & 0002)
+                log_warning("Configuration file %s is marked world-writable. Please remove world writability permission bits. Proceeding anyway.", path);
+
+        if (getpid() == 1 && (st.st_mode & 0044) != 0044)
+                log_warning("Configuration file %s is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.", path);
+
+        return 0;
+}
diff --git a/src/shared/util.h b/src/shared/util.h
index e4de4728bd..219e4897b3 100644
--- a/src/shared/util.h
+++ b/src/shared/util.h
@@ -867,3 +867,5 @@ int writev_safe(int fd, const struct iovec *w, int j);
 
 int mkostemp_safe(char *pattern, int flags);
 int open_tmpfile(const char *path, int flags);
+
+int fd_warn_permissions(const char *path, int fd);