Maintained by: NLnet Labs

[Unbound-users] unbound-control access control

Dmitriy Demidov
Sun Nov 23 17:10:04 CET 2008


Hi Wouter.

I can see you correction in the trunk repository - thanks. 
># remove unused permissions
>chmod o-rw $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key

But I have to warn you about one extra problem.  If make a chmod/chown changes 
corresponding to this new unbound-control-setup.sh:
-rw-r-----   1 root     wheel     891 21 ноя 17:57 unbound_control.key
-rw-r-----   1 root     wheel     627 21 ноя 17:57 unbound_control.pem
-rw-r-----   1 root     wheel     887 21 ноя 17:57 unbound_server.key
-rw-r-----   1 root     wheel     619 21 ноя 17:57 unbound_server.pem

then, during system restarting, unbound do not starts automaticaly and I can 
see this error messages insight of unbound.log:
[1227454036] unbound[1035:0] debug: module config: "iterator"
[1227454036] unbound[1035:0] notice: init module 0: iterator
[1227454036] unbound[1035:0] debug: target fetch policy for level 0 is 3
[1227454036] unbound[1035:0] debug: target fetch policy for level 1 is 2
[1227454036] unbound[1035:0] debug: target fetch policy for level 2 is 1
[1227454036] unbound[1035:0] debug: target fetch policy for level 3 is 0
[1227454036] unbound[1035:0] debug: target fetch policy for level 4 is 0
[1227454036] unbound[1035:0] debug: Reading root hints from /named.cache
[1227454036] unbound[1035:0] info: DelegationPoint<.>: 13 names (7 missing), 
19 addrs (0 result, 19 avail)
[1227454036] unbound[1035:0] debug: duplicate donotquery address ignored.
[1227454036] unbound[1035:1] debug: cache memory msg=33040 rrset=33040 
infra=1312 val=0
[1227454036] unbound[1035:2] debug: cache memory msg=33040 rrset=33040 
infra=1312 val=0
[1227454036] unbound[1035:3] debug: cache memory msg=33040 rrset=33040 
infra=1312 val=0
[1227454036] unbound[1035:0] error: Error setting up SSL_CTX key and cert 
crypto error:0200100D:system library:fopen:Permission denied
[1227454036] unbound[1035:0] error: and additionally crypto error:20074002:BIO 
routines:FILE_CTRL:system lib
[1227454036] unbound[1035:0] error: and additionally crypto error:140AD002:SSL 
routines:SSL_CTX_use_certificate_file:system lib
[1227454036] unbound[1035:0] error: util/alloc.c at 131 could not 
pthread_spin_destroy(&alloc->lock): Invalid argument
[1227454036] unbound[1035:0] fatal error: Could not initialize main thread

procstat for running unbound proces says this:
# procstat -s 1035
  PID COMM              EUID  RUID SVUID  EGID  RGID SVGID GROUPS
 1035 unbound             59    59    59     1     1     1 1

GID=1 - it is FreeBSD special 'deamon' group
UID=59 - it is dedicated user ID for unbound
GID=59 - it is dedicated group ID for unbound

This trouble disappears only if I make this set of ACL/ownership changes:
-r--r-----   1 unbound  wheel      891 21 ноя 17:57 unbound_control.key
-r--r-----   1 unbound  wheel      627 21 ноя 17:57 unbound_control.pem
-r--r-----   1 unbound  wheel      887 21 ноя 17:57 unbound_server.key
-r--r-----   1 unbound  wheel      619 21 ноя 17:57 unbound_server.pem

So... It may be only FreeBSD specific situation or may be not - I can not 
investigate this issue more detailed.

Anyway - hope this report will be helpfull...



On Friday 21 November 2008, W.C.A. Wijngaards wrote:
> Hi Dmitriy,

>
> added chmod o-rw (files) to unbound-control-setup.