Maintained by: NLnet Labs

initial failures

Anand Buddhdev
Fri May 27 09:48:10 CEST 2016


On 26/05/16 17:30, jpff via Unbound-users wrote:

Hi John,

> I installed unbound yesterday and I thought I followed the instructions
> but I have two problems
> 
> 1: if I have
>       auto-trust-anchor-file: "/etc/unbound/root.key"
> in the conf file I see
> [1464193283] unbound[14683:0] error: could not open autotrust file for writing, 
> /root.key.14683-0: Permission denied
> [1464195262] unbound[14958:0] notice: init module 0: validator
> [1464195262] unbound[14958:0] notice: init module 1: iterator
> [1464195263] unbound[14958:0] info: start of service (unbound 1.4.17).
> [1464195266] unbound[14958:0] error: could not open autotrust file for writing, 
> /root.key.14958-0: Permission denied
> [1464236233] unbound[14958:0] error: could not open autotrust file for writing, 
> /root.key.14958-0: Permission denied
> 
> in the log file.  I have tried both 644 with owner root and unbound to
> the same effect.  What permissions do I need?

Setting permissions on the file isn't enough. Unbound updates this file
by writing out a temporary one with new content and then renaming it.
Since Unbound switches to the "unbound" user after starting up, the
"unbound" user needs write access to the _directory_ where this file is,
ie. /etc/unbound.

IMHO, the man page for unbound.conf is misleading. It says that "the
unbound user must have write permission", and this makes a user think
that only the file needs to be writable, when in fact, the directory
also needs to be writable by the unbound user.

Regards,
Anand