Bugzilla – Bug 4192
unbound-control-setup generates keys not readable by group
Last modified: 2019-04-20 12:58:14 CEST
Created attachment 529 [details]
proposed patch, set mode manually
In more recent OpenSSL, default file mode for generated keys seems to be user-only 0600.
unbound-control-setup contains line:
# we want -rw-r----- access (say you run this as root: grp=yes (server), all=no).
Which implicates it wants keys to be group readable. It makes sense on Fedora as well. However it is no longer valid. I propose to set full mode of file. It does not make sense to be executable.
The issue is, OpenSSL 1.1 generates the key with these permissions:
-rw-------. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_control.key
-rw-r-----. 1 root unbound 1342 Oct 17 18:41 /etc/unbound/unbound_control.pem
-rw-------. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_server.key
-rw-r-----. 1 root unbound 1334 Oct 17 18:41 /etc/unbound/unbound_server.pem
It then requires CAP_DAC_READ_SEARCH capability to read these files from daemon. Such configuration prevents members of unbound to use unbound-control without sudo.
Thank you for the patch! Integrated it. I think that is a good solution for the permissions.
Best regards, Wouter
If you change the access control permissions on the key files you can choose who can use unbound-control, as a matter of course proprietor and group however not all users. Run the content under the equivalent username as you have designed in unbound.conf or as root, with the goal that the daemon is allowed to read the files. https://www.assignmentland.co.uk/buy-assignment-online