Maintained by: NLnet Labs

[Unbound-users] unbound-control access control

Dmitriy Demidov
Fri Nov 21 17:49:48 CET 2008


Hi! Thanks for this new release of Unbound! 
I just upgraded unbound from previos version and now I'm playing with  
unbound-control. I met one security problem - unbound-control allows to 
control unbound process to any user in the local system... AFAIK all access 
control is done by file systems ACL for SSL sertificate files?

unbpund-control-setup generated this files:
[root at dns /usr/local/etc/unbound]# ls -la
total 209
drwxr-xr-x   3 unbound  wheel      512 21 ноя 18:08 .
drwxr-xr-x  39 root     wheel     2048 12 ноя 20:42 ..
dr-xr-xr-x   4 root     wheel      512 21 ноя 19:36 dev
-rw-r--r--   1 root     wheel     2879  4 фев  2008 named.cache
-rw-r--r--   1 root     wheel     1766 21 ноя 17:57 unbound.conf
-rw-r--r--   1 root     wheel    16977 21 ноя 12:56 unbound.conf.sample
-rw-r--r--   1 unbound  wheel   173952 16 ноя 13:43 unbound.log
-rw-r--r--   1 unbound  daemon       5 21 ноя 18:08 unbound.pid
-rw-r--r--   1 root     wheel      891 21 ноя 17:57 unbound_control.key
-rw-r--r--   1 root     wheel      627 21 ноя 17:57 unbound_control.pem
-rw-r--r--   1 root     wheel      887 21 ноя 17:57 unbound_server.key
-rw-r--r--   1 root     wheel      619 21 ноя 17:57 unbound_server.pem

and to close this "security hole" I make a fast chmod/chown to this:

-r--r-----   1 unbound  wheel      891 21 ноя 17:57 unbound_control.key
-r--r-----   1 unbound  wheel      627 21 ноя 17:57 unbound_control.pem
-r--r-----   1 unbound  wheel      887 21 ноя 17:57 unbound_server.key
-r--r-----   1 unbound  wheel      619 21 ноя 17:57 unbound_server.pem

Now only root and wheel group members can use unbpund-control in my local 
machine. 

I'm using FreeBSD 7.1-PRERELEASE. Unbound is installed from ports.