The ebuilds for net-dns/unbound create the "unbound" user with its home directory set to /etc/unbound:
enewuser unbound -1 -1 /etc/unbound unbound
use python && python-single-r1_pkg_setup
As a result, /etc/unbound is writable by the "unbound" user. However, that's where the sensitive unbound.conf gets installed (as root:root):
$ /bin/ls -al /etc/unbound/
drwxr-xr-x 2 unbound root 4096 Dec 14 13:59 .
drwxr-xr-x 79 root root 4096 Dec 14 13:59 ..
-rw-r--r-- 1 root root 34276 Dec 14 13:59 unbound.conf
That conf file must only be writable by root; at least...
* the OpenRC service script uses the value of "pidfile" found
in unbound.conf, so anyone who can edit that file can clobber
things on the fileystem.
* the daemon binds to its interface and port as root, so the
"unbound" user could bind to e.g. port 80.
* From daemon/unbound.c and daemon/remote.c, it looks like unbound
will call "chown" on its pidfile/socket respectively, meaning that
if the "unbound" user can alter the pidfile or local socket location,
then he can take control of any file the next time the daemon is
started. (I haven't tested this one, because the first two are bad
Created unbound tracking bugs for this issue:
Affects: fedora-all [bug 1528445]
The description sounds specific to Gentoo's packaging of unbound, and indeed Fedora + RHEL's configuration does not have this issue:
# cd /etc/unbound
# ls -laZ
drwxr-xr-x. 5 root root system_u:object_r:named_conf_t:s0 4096 Dec 22 12:53 .
drwxr-xr-x. 175 root root system_u:object_r:etc_t:s0 12288 Dec 22 09:41 ..
drwxr-xr-x. 2 root unbound system_u:object_r:named_conf_t:s0 4096 Dec 22 12:53 conf.d
-rw-r--r--. 1 root root system_u:object_r:named_conf_t:s0 13026 Dec 2 02:33 icannbundle.pem
drwxr-xr-x. 2 root unbound system_u:object_r:named_conf_t:s0 4096 Dec 22 12:53 keys.d
drwxr-xr-x. 2 root unbound system_u:object_r:named_conf_t:s0 4096 Dec 22 12:53 local.d
-rw-r--r--. 1 root root system_u:object_r:dnssec_t:s0 939 Dec 2 02:44 root.key
-rw-r--r--. 1 root root system_u:object_r:named_conf_t:s0 35901 Dec 2 02:33 unbound.conf
# ls -lZ conf.d/* local.d/*
-rw-rw-r--. root unbound system_u:object_r:named_conf_t:s0 conf.d/example.com.conf
-rw-rw-r--. root unbound system_u:object_r:named_conf_t:s0 local.d/block-example.com.conf
Default /etc/unbound/unbound.conf includes conf.d/*.conf and local.d/*.conf, including these default (empty except comments) files.
SELinux prevents unbound (named_t) from writing these files *even prior to dropping privs*, but with SELinux disabled it is possible that a compromise of unbound could use these writable files to clobber other filesystem objects, possibly privesc.
I think removing g+w permissions from these files should be considered to add a layer of protection for non-SELinux environments, but it is not an urgent fix since SELinux effectively mitigates and unbound has a strong security track record.