From: Wouter Wijngaards Date: Mon, 31 May 2010 14:11:51 +0000 (+0000) Subject: unbound-control-setup more secure on multiuser system. X-Git-Tag: release-1.4.5rc1~15 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=da9ddfe2d14794f8946bebbe9c28263d7ae014af;p=thirdparty%2Funbound.git unbound-control-setup more secure on multiuser system. git-svn-id: file:///svn/unbound/trunk@2124 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index 3542626bd..447285589 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -6,6 +6,7 @@ - parentside names are dispreferred but not said to be dnssec-lame. - parentside check for cached newname glue. - fix parentside and querytargets modulestate, for dump_requestlist. + - unbound-control-setup makes keys -rw-r--- so not all users permitted. 28 May 2010: Wouter - iana portlist updated. diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in index da2964aeb..5c6cb2c1b 100644 --- a/doc/unbound-control.8.in +++ b/doc/unbound-control.8.in @@ -194,8 +194,10 @@ The unbound\-control program exits with status code 1 on error, 0 on success. The setup requires a self\-signed certificate and private keys for both the server and client. The script \fIunbound\-control\-setup\fR generates these in the default run directory, or with \-d in another directory. +If you change the access control permissions on the key files you can decide +who can use unbound\-control, by default owner and group but not all users. Run the script under the same username as you have configured in unbound.conf -so that the daemon is permitted to read the files, for example with: +or as root, so that the daemon is permitted to read the files, for example with: .nf sudo \-u unbound unbound\-control\-setup .fi diff --git a/smallapp/unbound-control-setup.sh b/smallapp/unbound-control-setup.sh index 1057124ce..ed78250aa 100755 --- a/smallapp/unbound-control-setup.sh +++ b/smallapp/unbound-control-setup.sh @@ -57,6 +57,9 @@ SVR_BASE=unbound_server # base name for unbound-control keys CTL_BASE=unbound_control +# we want -rw-r--- access (say you run this as root: grp=yes (server), all=no). +umask 0026 + # end of options # functions: