Bugzilla – Bug 4192
unbound-control-setup generates keys not readable by group
Last modified: 2018-10-22 12:07:39 CEST
Created attachment 529 [details]
proposed patch, set mode manually
In more recent OpenSSL, default file mode for generated keys seems to be user-only 0600.
unbound-control-setup contains line:
# we want -rw-r----- access (say you run this as root: grp=yes (server), all=no).
Which implicates it wants keys to be group readable. It makes sense on Fedora as well. However it is no longer valid. I propose to set full mode of file. It does not make sense to be executable.
The issue is, OpenSSL 1.1 generates the key with these permissions:
-rw-------. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_control.key
-rw-r-----. 1 root unbound 1342 Oct 17 18:41 /etc/unbound/unbound_control.pem
-rw-------. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_server.key
-rw-r-----. 1 root unbound 1334 Oct 17 18:41 /etc/unbound/unbound_server.pem
It then requires CAP_DAC_READ_SEARCH capability to read these files from daemon. Such configuration prevents members of unbound to use unbound-control without sudo.
Thank you for the patch! Integrated it. I think that is a good solution for the permissions.
Best regards, Wouter