Bug 1640259

Summary: unbound-keygen: generated keys have too strict permissions
Product: [Fedora] Fedora Reporter: Petr Menšík <pemensik>
Component: unboundAssignee: Petr Menšík <pemensik>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dominik, pemensik, pj.pandit, pwouters
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://nlnetlabs.nl/bugs-script/show_bug.cgi?id=4192
Whiteboard:
Fixed In Version: unbound-1.8.2-1.fc30 unbound-1.8.2-1.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-19 09:47:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1640285    
Attachments:
Description Flags
proposed patch, set mode manually none

Description Petr Menšík 2018-10-17 17:12:24 UTC 
Description of problem:
Control channel keys are generated by unbound-keygen service before unbound.service start. Generated files should be owned by root but readable by unbound.

Version-Release number of selected component (if applicable):
unbound-1.8.1-1.fc30.x86_64

How reproducible:
always

Steps to Reproduce:
1. dnf install unbound
2. systemctl restart unbound-keygen
3. ls -l /etc/unbound/unbound_*
4. rpm -V unbound

Actual results:
-rw-------. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_control.key
-rw-r-----. 1 root unbound 1342 Oct 17 18:41 /etc/unbound/unbound_control.pem
-rw-------. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_server.key
-rw-r-----. 1 root unbound 1334 Oct 17 18:41 /etc/unbound/unbound_server.pem

.M.......  g /etc/unbound/unbound_control.key
.M.......  g /etc/unbound/unbound_server.key

Expected results:
-rw-r-----. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_control.key
-rw-r-----. 1 root unbound 1342 Oct 17 18:41 /etc/unbound/unbound_control.pem
-rw-r-----. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_server.key
-rw-r-----. 1 root unbound 1334 Oct 17 18:41 /etc/unbound/unbound_server.pem


Additional info:
I think this is regression, it worked before by default. Default permissions for  keys might be changed in openssl genrsa default mode. It does work as expected on RHEL7. It does not cause any problems just because CAP_DAC_READ_SEARCH is granted to unbound and is not dropped.
Comment 1 Petr Menšík 2018-10-17 17:47:10 UTC 
Created attachment 1494941 [details]
proposed patch, set mode manually
Comment 2 Petr Menšík 2018-10-17 17:47:59 UTC 
Reported to upstream as bug: 

https://nlnetlabs.nl/bugs-script/show_bug.cgi?id=4192
Comment 3 Petr Menšík 2018-10-22 13:09:26 UTC 
Patch accepted upstream
Comment 4 Petr Menšík 2019-03-19 09:47:36 UTC 
Already merged with new version build.