From b43a7c86e00a14b64de30892576db185e8d625e6 Mon Sep 17 00:00:00 2001
From: Ben Deering <bdeering@tenable.com>
Date: Fri, 30 Dec 2022 15:45:36 -0500
Subject: [PATCH] Ensure members of the unbound group have read access to keys
 (Issue #813)

---
 smallapp/unbound-control-setup.sh.in                       | 5 +++++
 testdata/10-unbound-anchor.tdir/keys/unbound-control-setup | 3 +++
 2 files changed, 8 insertions(+)

diff --git a/smallapp/unbound-control-setup.sh.in b/smallapp/unbound-control-setup.sh.in
index eaf1d082c..daa95d949 100644
--- a/smallapp/unbound-control-setup.sh.in
+++ b/smallapp/unbound-control-setup.sh.in
@@ -204,6 +204,11 @@ chmod o-rw \
       "$CTL_BASE.pem" \
       "$CTL_BASE.key"
 
+# Ensure expected group permissions
+chmod g+r \
+      "$SVR_BASE.key" \
+      "$CTL_BASE.key" \
+
 cleanup
 
 echo "Setup success. Certificates created. Enable in unbound.conf file to use"
diff --git a/testdata/10-unbound-anchor.tdir/keys/unbound-control-setup b/testdata/10-unbound-anchor.tdir/keys/unbound-control-setup
index ff205be19..e6d10a062 100755
--- a/testdata/10-unbound-anchor.tdir/keys/unbound-control-setup
+++ b/testdata/10-unbound-anchor.tdir/keys/unbound-control-setup
@@ -158,6 +158,9 @@ test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
 # remove unused permissions
 chmod o-rw $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key
 
+# add needed group permissions
+chmod g+r $SVR_BASE.key $CTL_BASE.key
+
 # remove crap
 rm -f request.cfg
 rm -f $CTL_BASE"_trust.pem" $SVR_BASE"_trust.pem" $SVR_BASE"_trust.srl"