Maintained by: NLnet Labs

[Unbound-users] unbound-control access control

W.C.A. Wijngaards
Fri Nov 21 19:44:04 CET 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Dmitriy,

Dmitriy Demidov wrote:
> control unbound process to any user in the local system... AFAIK all access 
> control is done by file systems ACL for SSL sertificate files?

Yes. Also the interface is 127.0.0.1 by default, so localhost only.
The system can work for remote administration also, but then you must
set control-interface "0.0.0.0" (any). and maybe adjust your firewall.

> and to close this "security hole" I make a fast chmod/chown to this:

added chmod o-rw (files) to unbound-control-setup.

Thank you for the suggestion,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkknAXQACgkQkDLqNwOhpPhtXgCgp2bAdeScfiXDlAeYsobv7/Nm
nVcAoKX7Owwrz5921a3PCJwVXQeZVsA2
=952p
-----END PGP SIGNATURE-----