Sorry, accidentally did not reply-all: On 12/7/21 19:16, Georg Pfuetzenreuter wrote:
Hi,
This seems to be a flaw in the package.
the package shipping with a sudo statement in the service file is indeed unusual, but understandable from the packagers perspective, as the ExecStartPre statement performs not only a validation of the configuration syntax, but also a validation of the configuration permissions this way.
However! The packaged configuration file ships with a "username: unbound" line, which performs setuid to the unbound user upon starting the program as root (which is what systemd does if no user= statement is set): https://build.opensuse.org/package/view_file/openSUSE:Factory/unbound/unboun... (line 218).
Whilst generally configuration files owned by root should not pose an issue with applications performing setuid/setgid, I *assume* the configuration file needs to be readable by the "unbound" user, as otherwise the program could not read it on the fly after startup (i.e. for configuration reloads using unbound-control).
Please attempt to `chown unbound /etc/unbound/unbound.conf`. If this resolves the issue, open a bug in order for the package maintainer to be informed of the issue. They can then adjust
https://build.opensuse.org/package/view_file/openSUSE:Factory/unbound/unboun... (line 388)
respectively.
If this does not resolve the issue, I suggest to still open a bug, stating the program does not work out of the box, informing them about the attempts you performed.
Best, Georg
On 12/7/21 11:24, Stakanov wrote:
In data martedì 7 dicembre 2021 11:23:07 CET, Stakanov ha scritto:
In data martedì 7 dicembre 2021 10:44:28 CET, Carlos E. R. ha scritto:
On Tuesday, 2021-12-07 at 09:57 +0100, Stakanov wrote:
Unbound cannot start because of an apparent permission issue.
Output is: × unbound.service - Unbound recursive Domain Name Server
Loaded: loaded (/usr/lib/systemd/system/unbound.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since
Tue 2021-12-07 08:14:54 CET; 1h 25min ago> Process: 1937 ExecStartPre=/usr/bin/sudo -u unbound /usr/sbin/unbound-
Now this is peculiar. A service using sudo to start? Perhaps the service is not running as root.
Process: 1994 ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS (code=exited, status=1/FAILURE) Main PID: 1994 (code=exited, status=1/FAILURE)
Then this process (1994) would not be running as root. And it fails:
Dec 07 08:14:54 silversurfer unbound[1994]: [1638861294] unbound[1994:0] error: Could not open /etc/unbound/unbound.conf: Permission denied
...
entropy@silversurfer:~> ls -l /etc/unbound/ totale 24 drwxr-xr-x 1 root unbound 32 7 dic 09.53 conf.d drwxr-xr-x 1 root unbound 30 7 dic 09.53 keys.d drwxr-xr-x 1 root unbound 44 7 dic 09.53 local.d -rw-r----- 1 root unbound 21947 22 apr 2018 unbound.conf
If the process is not running as root, it can not read unbound.conf.
-- Cheers,
Carlos E. R. (from openSUSE 15.2 x86_64 at Telcontar)
but for what I understood the service is intentional not running as root. And this for what I understand for security reasons? The thing about the permission is haunting me since quite a while. You can of course relax the permissions for unbound conf but I do not know if this is a bug or if this is a setup error that I am making. and forget about sudo, I did run it from CLI as root but it fails either way
silversurfer:~ # unbound -d [1638872635] unbound[22176:0] error: Could not open /etc/unbound/unbound.conf: Permission denied [1638872635] unbound[22176:0] fatal error: Could not read config file: /etc/ unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf