diff --git a/unbound-1.23-unbound-control-perms.patch b/unbound-1.23-unbound-control-perms.patch new file mode 100644 index 0000000..caa1d92 --- /dev/null +++ b/unbound-1.23-unbound-control-perms.patch @@ -0,0 +1,31 @@ +From bf85823eb03d749ef2beb7b22464d1d0bb9f5952 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Tue, 14 Jan 2025 13:55:10 +0100 +Subject: [PATCH] Add unbound members group access to control key + +Recent openssl genrsa does not use umask for generated keys. There is no +strong reason why every member of unbound group should be able read +server key. But control key would be quite useful to be group readable +and to allow control access to whole group. Allowing access to control +by group membership, not via sudo. +--- + unbound-1.20.0/smallapp/unbound-control-setup.sh.in | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/unbound-1.20.0/smallapp/unbound-control-setup.sh.in b/unbound-1.20.0/smallapp/unbound-control-setup.sh.in +index eaf1d08..c38c186 100644 +--- a/unbound-1.20.0/smallapp/unbound-control-setup.sh.in ++++ b/unbound-1.20.0/smallapp/unbound-control-setup.sh.in +@@ -200,7 +200,8 @@ fi + # remove unused permissions + chmod o-rw \ + "$SVR_BASE.pem" \ +- "$SVR_BASE.key" \ ++ "$SVR_BASE.key" ++chmod g+r,o-rw \ + "$CTL_BASE.pem" \ + "$CTL_BASE.key" + +-- +2.49.0 + diff --git a/unbound.spec b/unbound.spec index 27a9065..8f6a837 100644 --- a/unbound.spec +++ b/unbound.spec @@ -69,6 +69,8 @@ Patch2: unbound-1.21-CVE-2024-8508.patch # https://github.com/NLnetLabs/unbound/commit/5bf82f246481098a6473f296b21fc1229d276c0f # https://github.com/NLnetLabs/unbound/commit/a1150078f29e14b36c8e4d9d05a263a5e6abbc5b Patch3: unbound-1.23.1-CVE-2025-5994.patch +# https://github.com/NLnetLabs/unbound/pull/1220 +Patch4: unbound-1.23-unbound-control-perms.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel @@ -466,7 +468,7 @@ popd %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.key %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.pem -%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key +%ghost %attr(0600,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key %{_sbindir}/unbound %{_sbindir}/unbound-checkconf %{_sbindir}/unbound-control