03.10.2014 20:52, Robert Edmonds wrote:
> Hi, Michael:
>
> Michael Tokarev wrote:
[]
> Hm, this directory is chown'd to unbound:unbound in the postinst. [...]
So, you chown /var/lib/unbound and run unbound-anchor as root both in postinst
and in the startup script. And unbound-anchor is not really made to securely
create a temporary file for the new root.key.
...
>> And to run unbound-anchor as unbound user there too, to stop chown'ing
>> the key file.
So I think this is a must, actually. Something like this:
su unbound -s /bin/sh -c "unbound-anchor -a $ROOT_TRUST_ANCHOR_FILE -v"
2>&1 | logger -p daemon.info -t unbound-anchor
Thanks,
/mjt
> Yes, that makes sense to me.
>
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
