Hi! Thanks for this new release of Unbound! I just upgraded unbound from previos version and now I'm playing with unbound-control. I met one security problem - unbound-control allows to control unbound process to any user in the local system... AFAIK all access control is done by file systems ACL for SSL sertificate files?
unbpund-control-setup generated this files: [EMAIL PROTECTED] /usr/local/etc/unbound]# ls -la total 209 drwxr-xr-x 3 unbound wheel 512 21 ноя 18:08 . drwxr-xr-x 39 root wheel 2048 12 ноя 20:42 .. dr-xr-xr-x 4 root wheel 512 21 ноя 19:36 dev -rw-r--r-- 1 root wheel 2879 4 фев 2008 named.cache -rw-r--r-- 1 root wheel 1766 21 ноя 17:57 unbound.conf -rw-r--r-- 1 root wheel 16977 21 ноя 12:56 unbound.conf.sample -rw-r--r-- 1 unbound wheel 173952 16 ноя 13:43 unbound.log -rw-r--r-- 1 unbound daemon 5 21 ноя 18:08 unbound.pid -rw-r--r-- 1 root wheel 891 21 ноя 17:57 unbound_control.key -rw-r--r-- 1 root wheel 627 21 ноя 17:57 unbound_control.pem -rw-r--r-- 1 root wheel 887 21 ноя 17:57 unbound_server.key -rw-r--r-- 1 root wheel 619 21 ноя 17:57 unbound_server.pem and to close this "security hole" I make a fast chmod/chown to this: -r--r----- 1 unbound wheel 891 21 ноя 17:57 unbound_control.key -r--r----- 1 unbound wheel 627 21 ноя 17:57 unbound_control.pem -r--r----- 1 unbound wheel 887 21 ноя 17:57 unbound_server.key -r--r----- 1 unbound wheel 619 21 ноя 17:57 unbound_server.pem Now only root and wheel group members can use unbpund-control in my local machine. I'm using FreeBSD 7.1-PRERELEASE. Unbound is installed from ports. _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
