From c7f44b99e343820e50f9a09485d685fb22d357b8 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 7 Jan 2022 12:01:28 +0100 Subject: [PATCH] Change file mode before changing file owner Change mode first when configuring remote control unix socket. Some security systems might strip capability of changing other user's system even to process with effective uid 0. That is done on Fedora by SELinux policy and systemd for example. SELinux audit then shows errors, because unbound tries modifying permissions of not own file. Fix just by mode change as first step, make it owned by unbound:unbound user as the last step only. Related: rhbz#1905441 --- daemon/remote.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemon/remote.c b/daemon/remote.c index adf038389..183f6d4dc 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -300,6 +300,7 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err, */ if(fd != -1) { #ifdef HAVE_CHOWN + chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP)); if (cfg->username && cfg->username[0] && cfg_uid != (uid_t)-1) { if(chown(ip, cfg_uid, cfg_gid) == -1) @@ -307,7 +308,6 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err, (unsigned)cfg_uid, (unsigned)cfg_gid, ip, strerror(errno)); } - chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP)); #else (void)cfg; #endif -- 2.39.5