On Mon, Dec 30, 2013 at 12:10, Chris Smith wrote: > I've been working on using dnssec with the unbound package and viewing > some of the threads here on the list regarding this. > > Enabling autotrust and the validator module in unbound.conf and > running unbound-anchor before starting unbound will enable dnssec but > eventually will log errors of: > > could not open autotrust file for writing > > This is apparently because the _unbound user or group does not have > write privileges to the directory, running unbound-anchor with "sudo > -u _unbound" doesn't change the directory perms.
That is on purpose. It's very bad for running daemons to have write privileges. There are a couple solutions. More elaborately, it should use some sort of privelege separation code to communicate with another daemon if it needs to create new files after startup. More simply, can that file be moved to another location? Then we can enable write permissions to /var/unbound/etc/autotrust/files/... or something, without giving away the keys to the whole kingdom.
