Description of problem: Control channel keys are generated by unbound-keygen service before unbound.service start. Generated files should be owned by root but readable by unbound. Version-Release number of selected component (if applicable): unbound-1.8.1-1.fc30.x86_64 How reproducible: always Steps to Reproduce: 1. dnf install unbound 2. systemctl restart unbound-keygen 3. ls -l /etc/unbound/unbound_* 4. rpm -V unbound Actual results: -rw-------. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_control.key -rw-r-----. 1 root unbound 1342 Oct 17 18:41 /etc/unbound/unbound_control.pem -rw-------. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_server.key -rw-r-----. 1 root unbound 1334 Oct 17 18:41 /etc/unbound/unbound_server.pem .M....... g /etc/unbound/unbound_control.key .M....... g /etc/unbound/unbound_server.key Expected results: -rw-r-----. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_control.key -rw-r-----. 1 root unbound 1342 Oct 17 18:41 /etc/unbound/unbound_control.pem -rw-r-----. 1 root unbound 2459 Oct 17 18:41 /etc/unbound/unbound_server.key -rw-r-----. 1 root unbound 1334 Oct 17 18:41 /etc/unbound/unbound_server.pem Additional info: I think this is regression, it worked before by default. Default permissions for keys might be changed in openssl genrsa default mode. It does work as expected on RHEL7. It does not cause any problems just because CAP_DAC_READ_SEARCH is granted to unbound and is not dropped.
Created attachment 1494941 [details] proposed patch, set mode manually
Reported to upstream as bug: https://nlnetlabs.nl/bugs-script/show_bug.cgi?id=4192
Patch accepted upstream
Already merged with new version build.