unbound-control-setup generates keys not readable by group. #813
Description
Describe the bug
Keys created by unbound-control-setup are not group readable.
-rw-------. 1 root unbound 2455 Dec 23 14:26 unbound_control.key -rw-r-----. 1 root unbound 1411 Dec 23 14:26 unbound_control.pem -rw-------. 1 root unbound 2459 Dec 23 14:26 unbound_server.key -rw-r-----. 1 root unbound 1549 Dec 23 14:26 unbound_server.pem
This was fixed at one point in (pre-github?) 6429b5c
But was quickly broken again in 22ab255
Where the relevant change is:
# remove unused permissions chmod o-rw \ "$SVR_BASE.pem" \ "$SVR_BASE.key" \ "$CTL_BASE.pem" \ "$CTL_BASE.key"
is broken vs
# set desired permissions chmod 0640 $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key
works
To reproduce
Steps to reproduce the behavior:
1.rm /etc/unbound/.pem /etc/unbound/.key
2.systemctl restart unbound
3.ls -l /etc/unbound/*.key
Expected behavior
I expect the members of the unbound group to be able to read the key
System:
- Unbound version: 1.16.2
- OS: Oracle Linux 8.7
unbound -Voutput:
`
unbound -V
Version 1.16.2
Configure line: --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --with-pythonmodule --with-pyunbound PYTHON=/usr/libexec/platform-python --with-libevent --with-pthreads --with-ssl --disable-rpath --disable-static --enable-relro-now --enable-pie --enable-subnet --enable-ipsecmod --with-conf-file=/etc/unbound/unbound.conf --with-pidfile=/var/run/unbound/unbound.pid --enable-sha2 --disable-gost --enable-ecdsa --with-rootkey-file=/var/lib/unbound/root.key --enable-linux-ip-local-port-range
Linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL 1.1.1k FIPS 25 Mar 2021
Linked modules: dns64 python ipsecmod subnetcache respip validator iterator
BSD licensed, see LICENSE in source package for details.
Report bugs to [email protected] or https://github.com/NLnetLabs/unbound/issues
[root@tenable-umwey6bv unbound]#
`
Additional information
Add any other information that you may have gathered about the issue here.