Bug 1640259 - unbound-keygen: generated keys have too strict permissions
Summary: unbound-keygen: generated keys have too strict permissions
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: unbound
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Petr Menšík
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1640285
TreeView+ depends on / blocked
 
Reported: 2018-10-17 17:12 UTC by Petr Menšík
Modified: 2019-03-19 09:47 UTC (History)
4 users (show)

See Also:
Fixed In Version: unbound-1.8.2-1.fc30 unbound-1.8.2-1.fc29
Clone Of:
Environment:
Last Closed: 2019-03-19 09:47:36 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
proposed patch, set mode manually (1.27 KB, patch)
2018-10-17 17:47 UTC, Petr Menšík
no flags Details | Diff

Description Petr Menšík 2018-10-17 17:12:24 UTC
Description of problem:
Control channel keys are generated by unbound-keygen service before unbound.service start. Generated files should be owned by root but readable by unbound.

Version-Release number of selected component (if applicable):
unbound-1.8.1-1.fc30.x86_64

How reproducible:
always

Steps to Reproduce:
1. dnf install unbound
2. systemctl restart unbound-keygen
3. ls -l /etc/unbound/unbound_*
4. rpm -V unbound

Actual results:
-rw-------. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_control.key
-rw-r-----. 1 root unbound 1342 Oct 17 18:41 /etc/unbound/unbound_control.pem
-rw-------. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_server.key
-rw-r-----. 1 root unbound 1334 Oct 17 18:41 /etc/unbound/unbound_server.pem

.M.......  g /etc/unbound/unbound_control.key
.M.......  g /etc/unbound/unbound_server.key

Expected results:
-rw-r-----. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_control.key
-rw-r-----. 1 root unbound 1342 Oct 17 18:41 /etc/unbound/unbound_control.pem
-rw-r-----. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_server.key
-rw-r-----. 1 root unbound 1334 Oct 17 18:41 /etc/unbound/unbound_server.pem


Additional info:
I think this is regression, it worked before by default. Default permissions for  keys might be changed in openssl genrsa default mode. It does work as expected on RHEL7. It does not cause any problems just because CAP_DAC_READ_SEARCH is granted to unbound and is not dropped.

Comment 1 Petr Menšík 2018-10-17 17:47:10 UTC
Created attachment 1494941 [details]
proposed patch, set mode manually

Comment 2 Petr Menšík 2018-10-17 17:47:59 UTC
Reported to upstream as bug: 

https://nlnetlabs.nl/bugs-script/show_bug.cgi?id=4192

Comment 3 Petr Menšík 2018-10-22 13:09:26 UTC
Patch accepted upstream

Comment 4 Petr Menšík 2019-03-19 09:47:36 UTC
Already merged with new version build.


Note You need to log in before you can comment on or make changes to this bug.