Maintained by: NLnet Labs

[Unbound-users] riddle me this: why does one machine fail to start SSL for the control channel?

W.C.A. Wijngaards
Mon Feb 2 12:14:04 CET 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Greg,

Thank you for this report.  It looks like it is indeed the groups.  Did
not know about secondary group privileges.  I'll put on my todo to print
ssl filenames, and to call initgroups(3).

Unbound 1.2.0 calls setresgid but not initgroups.

Please note that the server needs 3 files to operate:
server-key-file,  server-cert-file and
control-cert-file(unbound_control.pem).  It uses that last one to
authenticate the client.

Best regards,
   Wouter

Greg A. Woods; Planix, Inc. wrote:
> So, I've got two nearly identical machines, with nearly identical
> configurations, running unbound-1.2.0, but yet only one of them will
> start unbound without having the server-key-file and server-cert-file
> readable by the user unbound runs as after it gets started.  The
> (extremely unhelpful!!! -- I almost had to ktrace to find out which
> file(s) it's actually complaining about!!!) errors are appended below.

> If this is the significant difference then indeed unbound-1.2.0 is
> failing to use setgroups(2) or initgroups(3) or best of all
> setusercontext(3) to ensure the unprivileged process dumps _all_
> unnecessary privileges; and then of course it also needs to have already
> opened all privileged files prior to dropping privileges.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmG1XwACgkQkDLqNwOhpPiytwCdH5HF+5i8uG4L/FNV/yEFXve5
kgQAniZtCIZsGpITabBNzi0jull4YRx9
=oeuC
-----END PGP SIGNATURE-----