-
Bug
-
Resolution: Duplicate
-
Undefined
-
None
-
rhel-10.1.z
-
None
-
None
-
Low
-
rhel-net-perf
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
What were you trying to do that didn't work?
When unbound is installed, "/var/lib/unbound/root.key" is created as a symlink owned by root:
lrwxrwxrwx. 1 root root 36 Aug 29 02:00 /var/lib/unbound/root.key -> ../../../etc/unbound/dnssec-root.key
Once the unbound service is started, it also starts the oneshot unbound-anchor.service, which removes the symlink and creates a new file with different mode, user and group:
root@localhost:~# systemctl start unbound-anchor.service root@localhost:~# ll /var/lib/unbound/root.key -rw-r--r--. 1 unbound unbound 1250 Jan 28 12:29 /var/lib/unbound/root.key
Due to this, when rpm --Verify runs against unbound-libs, it reports a differing mode (M):
root@localhost:~# rpm -V unbound-libs
SM5....T. c /var/lib/unbound/root.key
What is the impact of this issue to you?
Customers have security concerns when they notice the mode of the file has been modified, and it can also affect their automated checks.
Please provide the package NVR for which the bug is seen:
unbound-1.20.0-15.el10_1.x86_64
How reproducible is this bug?:
Always
Steps to reproduce
- Install unbound
- Run the unbound-anchor service: "systemctl start unbound-anchor.service"
- Check the output of "rpm -V unbound-lib".