Bugzilla – Full Text Bug Listing
|Summary:||unbound-control-setup generates keys not readable by group|
|Product:||unbound||Reporter:||Petr Menšík <pemensik>|
|Component:||server||Assignee:||unbound team <unbound-team>|
|Severity:||normal||CC:||cathya, judeelliot2, pemensik, wouter|
|Attachments:||proposed patch, set mode manually|
Description Petr Menšík 2018-10-17 19:45:55 CEST
Created attachment 529 [details] proposed patch, set mode manually In more recent OpenSSL, default file mode for generated keys seems to be user-only 0600. unbound-control-setup contains line: # we want -rw-r----- access (say you run this as root: grp=yes (server), all=no). umask 0027 Which implicates it wants keys to be group readable. It makes sense on Fedora as well. However it is no longer valid. I propose to set full mode of file. It does not make sense to be executable.
Comment 1 Petr Menšík 2018-10-18 10:42:10 CEST
The issue is, OpenSSL 1.1 generates the key with these permissions: -rw-------. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_control.key -rw-r-----. 1 root unbound 1342 Oct 17 18:41 /etc/unbound/unbound_control.pem -rw-------. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_server.key -rw-r-----. 1 root unbound 1334 Oct 17 18:41 /etc/unbound/unbound_server.pem It then requires CAP_DAC_READ_SEARCH capability to read these files from daemon. Such configuration prevents members of unbound to use unbound-control without sudo.
Comment 2 Wouter Wijngaards 2018-10-22 12:07:39 CEST
Hi Petr, Thank you for the patch! Integrated it. I think that is a good solution for the permissions. Best regards, Wouter
Comment 3 WilliamBurton 2019-04-20 12:58:14 CEST
If you change the access control permissions on the key files you can choose who can use unbound-control, as a matter of course proprietor and group however not all users. Run the content under the equivalent username as you have designed in unbound.conf or as root, with the goal that the daemon is allowed to read the files. https://www.assignmentland.co.uk/buy-assignment-online