As reported: The ebuilds for net-dns/unbound create the "unbound" user with its home directory set to /etc/unbound: pkg_setup() { enewgroup unbound enewuser unbound -1 -1 /etc/unbound unbound use python && python-single-r1_pkg_setup } As a result, /etc/unbound is writable by the "unbound" user. However, that's where the sensitive unbound.conf gets installed (as root:root): $ /bin/ls -al /etc/unbound/ total 44 drwxr-xr-x 2 unbound root 4096 Dec 14 13:59 . drwxr-xr-x 79 root root 4096 Dec 14 13:59 .. -rw-r--r-- 1 root root 34276 Dec 14 13:59 unbound.conf That conf file must only be writable by root; at least... * the OpenRC service script uses the value of "pidfile" found in unbound.conf, so anyone who can edit that file can clobber things on the fileystem. * the daemon binds to its interface and port as root, so the "unbound" user could bind to e.g. port 80. * From daemon/unbound.c and daemon/remote.c, it looks like unbound will call "chown" on its pidfile/socket respectively, meaning that if the "unbound" user can alter the pidfile or local socket location, then he can take control of any file the next time the daemon is started. (I haven't tested this one, because the first two are bad enough.) References: https://bugs.gentoo.org/641042
Created unbound tracking bugs for this issue: Affects: fedora-all [bug 1528445]
The description sounds specific to Gentoo's packaging of unbound, and indeed Fedora + RHEL's configuration does not have this issue: # cd /etc/unbound # ls -laZ drwxr-xr-x. 5 root root system_u:object_r:named_conf_t:s0 4096 Dec 22 12:53 . drwxr-xr-x. 175 root root system_u:object_r:etc_t:s0 12288 Dec 22 09:41 .. drwxr-xr-x. 2 root unbound system_u:object_r:named_conf_t:s0 4096 Dec 22 12:53 conf.d -rw-r--r--. 1 root root system_u:object_r:named_conf_t:s0 13026 Dec 2 02:33 icannbundle.pem drwxr-xr-x. 2 root unbound system_u:object_r:named_conf_t:s0 4096 Dec 22 12:53 keys.d drwxr-xr-x. 2 root unbound system_u:object_r:named_conf_t:s0 4096 Dec 22 12:53 local.d -rw-r--r--. 1 root root system_u:object_r:dnssec_t:s0 939 Dec 2 02:44 root.key -rw-r--r--. 1 root root system_u:object_r:named_conf_t:s0 35901 Dec 2 02:33 unbound.conf However: # ls -lZ conf.d/* local.d/* -rw-rw-r--. root unbound system_u:object_r:named_conf_t:s0 conf.d/example.com.conf -rw-rw-r--. root unbound system_u:object_r:named_conf_t:s0 local.d/block-example.com.conf Default /etc/unbound/unbound.conf includes conf.d/*.conf and local.d/*.conf, including these default (empty except comments) files. SELinux prevents unbound (named_t) from writing these files *even prior to dropping privs*, but with SELinux disabled it is possible that a compromise of unbound could use these writable files to clobber other filesystem objects, possibly privesc. I think removing g+w permissions from these files should be considered to add a layer of protection for non-SELinux environments, but it is not an urgent fix since SELinux effectively mitigates and unbound has a strong security track record.