Fix permissions of created control and server key

Server key should remain user-readable only. But change control key generation to make the key group-readable. Resolves: RHEL-73862
2025-06-09 16:45:47 +02:00 · 2025-06-09 16:45:47 +02:00 · 68dbd9baf7
commit 68dbd9baf7
parent e25447792f
2 changed files with 34 additions and 1 deletions
--- a/unbound-1.23-unbound-control-perms.patch
+++ b/unbound-1.23-unbound-control-perms.patch
@ -0,0 +1,31 @@
+From bf85823eb03d749ef2beb7b22464d1d0bb9f5952 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Tue, 14 Jan 2025 13:55:10 +0100
+Subject: [PATCH] Add unbound members group access to control key
+
+Recent openssl genrsa does not use umask for generated keys. There is no
+strong reason why every member of unbound group should be able read
+server key. But control key would be quite useful to be group readable
+and to allow control access to whole group. Allowing access to control
+by group membership, not via sudo.
+---
+ unbound-1.20.0/smallapp/unbound-control-setup.sh.in | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/unbound-1.20.0/smallapp/unbound-control-setup.sh.in b/unbound-1.20.0/smallapp/unbound-control-setup.sh.in
+index eaf1d08..c38c186 100644
+--- a/unbound-1.20.0/smallapp/unbound-control-setup.sh.in
+++ b/unbound-1.20.0/smallapp/unbound-control-setup.sh.in
+@@ -200,7 +200,8 @@ fi
+ # remove unused permissions
+ chmod o-rw \
+       "$SVR_BASE.pem" \
+-      "$SVR_BASE.key" \
+      "$SVR_BASE.key"
+chmod g+r,o-rw \
+       "$CTL_BASE.pem" \
+       "$CTL_BASE.key"
+ 
+-- 
+2.49.0
+
--- a/unbound.spec
+++ b/unbound.spec
@ -69,6 +69,8 @@ Patch2: unbound-1.21-CVE-2024-8508.patch
 # https://github.com/NLnetLabs/unbound/commit/5bf82f246481098a6473f296b21fc1229d276c0f
 # https://github.com/NLnetLabs/unbound/commit/a1150078f29e14b36c8e4d9d05a263a5e6abbc5b
 Patch3: unbound-1.23.1-CVE-2025-5994.patch
+# https://github.com/NLnetLabs/unbound/pull/1220
+Patch4: unbound-1.23-unbound-control-perms.patch

 BuildRequires: gcc, make
 BuildRequires: flex, openssl-devel
@ -466,7 +468,7 @@ popd
 %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem
 %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.key
 %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.pem
-%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key
+%ghost %attr(0600,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key
 %{_sbindir}/unbound
 %{_sbindir}/unbound-checkconf
 %{_sbindir}/unbound-control