Add unbound members group access to control key#1220
Merged
gthess merged 1 commit intoJan 24, 2025
Conversation
pemensik
force-pushed
the
unbound-control-group-key
branch
from
4222050 to
0d0f45c
Compare
Recent openssl genrsa does not use umask for generated keys. There is no strong reason why every member of unbound group should be able read server key. But control key would be quite useful to be group readable and to allow control access to whole group. Allowing access to control by group membership, not via sudo.
pemensik
force-pushed
the
unbound-control-group-key
branch
from
0d0f45c to
f4881bd
Compare
gthess
approved these changes
Jan 24, 2025
gthess
left a comment
gthess
left a comment
Member
There was a problem hiding this comment.
Looks good to me.
The old situation was that the group was getting read access on keys and public certificates implicitly.
The current situation is that the group is not getting any read access on keys.
The new situation will be that the group will gain read access on the control key (the one clients need to connect to the server part- Unbound).
gthess
added a commit
that referenced
this pull request
Jan 24, 2025
- Merge #1220 from Petr Menšík, Add unbound members group access to control key.
jedisct1
added a commit
to jedisct1/unbound
that referenced
this pull request
Mar 18, 2025
* nlnet/master: (37 commits) - Fix for windows compile create ssl contexts. - Fix NLnetLabs#1251: WSAPoll first argument cannot be NULL. - Fix representation of types GPOS and RESINFO, add rdf type for - Fix 'unbound-control flush_negative' when reporting removed data; reported by David 'eqvinox' Lamparter. Changelog nore for NLnetLabs#1238 and add `--help` description. - Merge NLnetLabs#1238: Prefer SOURCE_DATE_EPOCH over actual time. Add --help output description for the SOURCE_DATE_EPOCH variable. Prefer SOURCE_DATE_EPOCH over actual time (NLnetLabs#1238) Changelog note for NLnetLabs#1243 - Merge NLnetLabs#1243: Do not shadow tm on line 236. Do not shadow tm on line 236. (NLnetLabs#1243) - Fix hash calculation for cachedb to ignore case. Previously, cached records there were only relevant for same case queries (if not already in Unbound's internal cache). Changelog entry for NLnetLabs#1241: - Merge NLnetLabs#1241: Fix infra-keep-probing for low infra-cache-max-rtt values. - The maximum value of a probe rto was not aligned with the (configurable) infra-cache-max-rtt value. That could result in infra-keep-probing not working if an infra-cache-max-rtt value was chosen that was below 12000 ms. This fix still uses a default value of 12000 ms for the probe but caps it to the infra-cache-max-rtt if that is lower. - Fix static analysis report about unhandled EOF on error conditions when reading anchor key files. - Consider reconfigurations when calculating the still_useful_timeout for servers in the infrastructure cache. - Fix NLnetLabs#986: Resolving sas.com with dnssec-validation fails though signed delegations seem to be (mostly) correct. - Make the default value of module-config "validator iterator" regardless of compilation options. --enable-subnet would implicitly change the value to enable the subnetcache module by default in the past. Changelog entry for NLnetLabs#1220: - Merge NLnetLabs#1220 from Petr Menšík, Add unbound members group access to control key. Changelog entry for NLnetLabs#1224: - Merge NLnetLabs#1224 from Theo Buehler: Do not use DSA API unless USE_DSA is set. Changelog note for NLnetLabs#1229 - Merge NLnetLabs#1229: check before use daemon->shm_info. check before use daemon->shm_info (NLnetLabs#1229) - Do not open unencrypted channels next to encrypted ones on the same port. ...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Recent openssl genrsa does not use umask for generated keys. There is no strong reason why every member of unbound group should be able read server key. But control key would be quite useful to be group readable and to allow control access to whole group. Allowing access to control by group membership, not via sudo.