-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Greg,
Thank you for this report. It looks like it is indeed the groups. Did not know about secondary group privileges. I'll put on my todo to print ssl filenames, and to call initgroups(3). Unbound 1.2.0 calls setresgid but not initgroups. Please note that the server needs 3 files to operate: server-key-file, server-cert-file and control-cert-file(unbound_control.pem). It uses that last one to authenticate the client. Best regards, Wouter Greg A. Woods; Planix, Inc. wrote: > So, I've got two nearly identical machines, with nearly identical > configurations, running unbound-1.2.0, but yet only one of them will > start unbound without having the server-key-file and server-cert-file > readable by the user unbound runs as after it gets started. The > (extremely unhelpful!!! -- I almost had to ktrace to find out which > file(s) it's actually complaining about!!!) errors are appended below. > If this is the significant difference then indeed unbound-1.2.0 is > failing to use setgroups(2) or initgroups(3) or best of all > setusercontext(3) to ensure the unprivileged process dumps _all_ > unnecessary privileges; and then of course it also needs to have already > opened all privileged files prior to dropping privileges. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmG1XwACgkQkDLqNwOhpPiytwCdH5HF+5i8uG4L/FNV/yEFXve5 kgQAniZtCIZsGpITabBNzi0jull4YRx9 =oeuC -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
