about unbound and systemd units
Simon Deziel
simon+unbound at sdeziel.info
Wed Nov 21 14:08:20 UTC 2018
On 2018-11-21 1:00 a.m., Paul Wouters wrote:
> On Tue, 20 Nov 2018, Simon Deziel via Unbound-users wrote:
>
>> On 2018-11-20 10:22 a.m., Paul Wouters via Unbound-users wrote:
>>> [paul at thinkpad tmp]$ cat /usr/lib/systemd/system/unbound.service [Unit]
>>> Description=Unbound recursive Domain Name Server
>>> After=network.target
>>> After=unbound-keygen.service
>>> Wants=unbound-keygen.service
>>> Wants=unbound-anchor.timer
>>> Before=nss-lookup.target
>>> Wants=nss-lookup.target
>>>
>>> [Service]
>>> Type=simple
>>> EnvironmentFile=-/etc/sysconfig/unbound
>>> ExecStartPre=/usr/sbin/unbound-checkconf
>>> ExecStartPre=-/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c
>>> /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R
>>
>> Doesn't that result in a root.key owned by root?
>
> Nope. I guess unbound-anchor drops privs or keeps the existing
> owner/group intact.
Interesting, here with version 1.7.3, it doesn't drop privs and always
create a new temp file (owned by root) that is renamed to root.key:
# cd /tmp
# > root.key
# chown unbound: root.key
# ll root.key
-rw-r--r-- 1 unbound unbound 0 Nov 21 08:46 root.key
# unbound-anchor -a /tmp/root.key
# ll root.key
-rw-r--r-- 1 root root 1252 Nov 21 08:46 root.key
strace confirmed the renaming:
openat(AT_FDCWD, "/tmp/root.key", O_RDONLY) = 3
openat(AT_FDCWD, "/tmp/root.key", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
openat(AT_FDCWD, "/tmp/root.key", O_RDONLY) = 7
openat(AT_FDCWD, "/tmp/root.key.14619-0", O_WRONLY|O_CREAT|O_TRUNC,
0666) = 10
openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 12
rename("/tmp/root.key.14619-0", "/tmp/root.key") = 0
I don't know why it's different on Fedora but thanks for sharing!
Regards,
Simon
More information about the Unbound-users
mailing list