Bug 4192 - unbound-control-setup generates keys not readable by group
unbound-control-setup generates keys not readable by group
Product: unbound
Classification: Unclassified
Component: server
x86_64 Linux
: P5 normal
Assigned To: unbound team
Depends on:
  Show dependency treegraph
Reported: 2018-10-17 19:45 CEST by Petr Menšík
Modified: 2019-04-20 12:58 CEST (History)
4 users (show)

See Also:

proposed patch, set mode manually (1.27 KB, patch)
2018-10-17 19:45 CEST, Petr Menšík
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Petr Menšík 2018-10-17 19:45:55 CEST
Created attachment 529 [details]
proposed patch, set mode manually

In more recent OpenSSL, default file mode for generated keys seems to be user-only 0600.

unbound-control-setup contains line:

# we want -rw-r----- access (say you run this as root: grp=yes (server), all=no).
umask 0027

Which implicates it wants keys to be group readable. It makes sense on Fedora as well. However it is no longer valid. I propose to set full mode of file. It does not make sense to be executable.
Comment 1 Petr Menšík 2018-10-18 10:42:10 CEST
The issue is, OpenSSL 1.1 generates the key with these permissions:

-rw-------. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_control.key
-rw-r-----. 1 root unbound 1342 Oct 17 18:41 /etc/unbound/unbound_control.pem
-rw-------. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_server.key
-rw-r-----. 1 root unbound 1334 Oct 17 18:41 /etc/unbound/unbound_server.pem

It then requires CAP_DAC_READ_SEARCH capability to read these files from daemon. Such configuration prevents members of unbound to use unbound-control without sudo.
Comment 2 Wouter Wijngaards 2018-10-22 12:07:39 CEST
Hi Petr,

Thank you for the patch!  Integrated it.  I think that is a good solution for the permissions.

Best regards, Wouter
Comment 3 WilliamBurton 2019-04-20 12:58:14 CEST
If you change the access control permissions on the key files you can choose who can use unbound-control, as a matter of course proprietor and group however not all users. Run the content under the equivalent username as you have designed in unbound.conf or as root, with the goal that the daemon is allowed to read the files. https://www.assignmentland.co.uk/buy-assignment-online