1640259 – unbound-keygen: generated keys have too strict permissions

Bug 1640259 - unbound-keygen: generated keys have too strict permissions

Summary: unbound-keygen: generated keys have too strict permissions

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	unbound
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Petr Menšík
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1640285
TreeView+	depends on / blocked

Reported:	2018-10-17 17:12 UTC by Petr Menšík
Modified:	2019-03-19 09:47 UTC (History)
CC List:	4 users (show)
See Also:	https://nlnetlabs.nl/bugs-script/show_bug.cgi?id=4192
Fixed In Version:	unbound-1.8.2-1.fc30 unbound-1.8.2-1.fc29
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-03-19 09:47:36 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
proposed patch, set mode manually (1.27 KB, patch) 2018-10-17 17:47 UTC, Petr Menšík	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Description Petr Menšík 2018-10-17 17:12:24 UTC

Description of problem:
Control channel keys are generated by unbound-keygen service before unbound.service start. Generated files should be owned by root but readable by unbound.

Version-Release number of selected component (if applicable):
unbound-1.8.1-1.fc30.x86_64

How reproducible:
always

Steps to Reproduce:
1. dnf install unbound
2. systemctl restart unbound-keygen
3. ls -l /etc/unbound/unbound_*
4. rpm -V unbound

Actual results:
-rw-------. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_control.key
-rw-r-----. 1 root unbound 1342 Oct 17 18:41 /etc/unbound/unbound_control.pem
-rw-------. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_server.key
-rw-r-----. 1 root unbound 1334 Oct 17 18:41 /etc/unbound/unbound_server.pem

.M.......  g /etc/unbound/unbound_control.key
.M.......  g /etc/unbound/unbound_server.key

Expected results:
-rw-r-----. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_control.key
-rw-r-----. 1 root unbound 1342 Oct 17 18:41 /etc/unbound/unbound_control.pem
-rw-r-----. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_server.key
-rw-r-----. 1 root unbound 1334 Oct 17 18:41 /etc/unbound/unbound_server.pem


Additional info:
I think this is regression, it worked before by default. Default permissions for  keys might be changed in openssl genrsa default mode. It does work as expected on RHEL7. It does not cause any problems just because CAP_DAC_READ_SEARCH is granted to unbound and is not dropped.

Comment 1 Petr Menšík 2018-10-17 17:47:10 UTC

Created attachment 1494941 [details]
proposed patch, set mode manually

Comment 2 Petr Menšík 2018-10-17 17:47:59 UTC

Reported to upstream as bug: 

https://nlnetlabs.nl/bugs-script/show_bug.cgi?id=4192

Comment 3 Petr Menšík 2018-10-22 13:09:26 UTC

Patch accepted upstream

Comment 4 Petr Menšík 2019-03-19 09:47:36 UTC

Already merged with new version build.

Note You need to log in before you can comment on or make changes to this bug.