Bug 4192 - unbound-control-setup generates keys not readable by group
unbound-control-setup generates keys not readable by group
Status: RESOLVED FIXED
Product: unbound
Classification: Unclassified
Component: server
1.8.1
x86_64 Linux
: P5 normal
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-17 19:45 CEST by Petr Menšík
Modified: 2018-10-22 12:07 CEST (History)
3 users (show)

See Also:


Attachments
proposed patch, set mode manually (1.27 KB, patch)
2018-10-17 19:45 CEST, Petr Menšík
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Petr Menšík 2018-10-17 19:45:55 CEST
Created attachment 529 [details]
proposed patch, set mode manually

In more recent OpenSSL, default file mode for generated keys seems to be user-only 0600.

unbound-control-setup contains line:

# we want -rw-r----- access (say you run this as root: grp=yes (server), all=no).
umask 0027

Which implicates it wants keys to be group readable. It makes sense on Fedora as well. However it is no longer valid. I propose to set full mode of file. It does not make sense to be executable.
Comment 1 Petr Menšík 2018-10-18 10:42:10 CEST
The issue is, OpenSSL 1.1 generates the key with these permissions:

-rw-------. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_control.key
-rw-r-----. 1 root unbound 1342 Oct 17 18:41 /etc/unbound/unbound_control.pem
-rw-------. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_server.key
-rw-r-----. 1 root unbound 1334 Oct 17 18:41 /etc/unbound/unbound_server.pem

It then requires CAP_DAC_READ_SEARCH capability to read these files from daemon. Such configuration prevents members of unbound to use unbound-control without sudo.
Comment 2 Wouter Wijngaards 2018-10-22 12:07:39 CEST
Hi Petr,

Thank you for the patch!  Integrated it.  I think that is a good solution for the permissions.

Best regards, Wouter