CARVIEW |
Navigation Menu
-
-
Notifications
You must be signed in to change notification settings - Fork 397
Add unbound members group access to control key #1220
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add unbound members group access to control key #1220
Conversation
4222050
to
0d0f45c
Compare
Recent openssl genrsa does not use umask for generated keys. There is no strong reason why every member of unbound group should be able read server key. But control key would be quite useful to be group readable and to allow control access to whole group. Allowing access to control by group membership, not via sudo.
0d0f45c
to
f4881bd
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me.
The old situation was that the group was getting read access on keys and public certificates implicitly.
The current situation is that the group is not getting any read access on keys.
The new situation will be that the group will gain read access on the control key (the one clients need to connect to the server part- Unbound).
- Merge #1220 from Petr Menšík, Add unbound members group access to control key.
* nlnet/master: (37 commits) - Fix for windows compile create ssl contexts. - Fix NLnetLabs#1251: WSAPoll first argument cannot be NULL. - Fix representation of types GPOS and RESINFO, add rdf type for - Fix 'unbound-control flush_negative' when reporting removed data; reported by David 'eqvinox' Lamparter. Changelog nore for NLnetLabs#1238 and add `--help` description. - Merge NLnetLabs#1238: Prefer SOURCE_DATE_EPOCH over actual time. Add --help output description for the SOURCE_DATE_EPOCH variable. Prefer SOURCE_DATE_EPOCH over actual time (NLnetLabs#1238) Changelog note for NLnetLabs#1243 - Merge NLnetLabs#1243: Do not shadow tm on line 236. Do not shadow tm on line 236. (NLnetLabs#1243) - Fix hash calculation for cachedb to ignore case. Previously, cached records there were only relevant for same case queries (if not already in Unbound's internal cache). Changelog entry for NLnetLabs#1241: - Merge NLnetLabs#1241: Fix infra-keep-probing for low infra-cache-max-rtt values. - The maximum value of a probe rto was not aligned with the (configurable) infra-cache-max-rtt value. That could result in infra-keep-probing not working if an infra-cache-max-rtt value was chosen that was below 12000 ms. This fix still uses a default value of 12000 ms for the probe but caps it to the infra-cache-max-rtt if that is lower. - Fix static analysis report about unhandled EOF on error conditions when reading anchor key files. - Consider reconfigurations when calculating the still_useful_timeout for servers in the infrastructure cache. - Fix NLnetLabs#986: Resolving sas.com with dnssec-validation fails though signed delegations seem to be (mostly) correct. - Make the default value of module-config "validator iterator" regardless of compilation options. --enable-subnet would implicitly change the value to enable the subnetcache module by default in the past. Changelog entry for NLnetLabs#1220: - Merge NLnetLabs#1220 from Petr Menšík, Add unbound members group access to control key. Changelog entry for NLnetLabs#1224: - Merge NLnetLabs#1224 from Theo Buehler: Do not use DSA API unless USE_DSA is set. Changelog note for NLnetLabs#1229 - Merge NLnetLabs#1229: check before use daemon->shm_info. check before use daemon->shm_info (NLnetLabs#1229) - Do not open unencrypted channels next to encrypted ones on the same port. ...
Recent openssl genrsa does not use umask for generated keys. There is no strong reason why every member of unbound group should be able read server key. But control key would be quite useful to be group readable and to allow control access to whole group. Allowing access to control by group membership, not via sudo.