"deny capability chown" was initially added for the PID file, see [1]. Failing to chown the PID or the control socket is only logged at higher log level specifically to not generate noise when the chown capability isn't available, see [2,3]. The "capability fowner" was removed based on [4].
Currently, the unbound control socket is only accessible to root requiring one to use "sudo unbound-control" (aka the bug at hand):
which would fix the bug at the expense of those additional caps.
I'd vote in favor of re-introducing the capability for the sake of not having Apparmor "getting in the way". If that's OK with everyone, I'd send the patch to Debian as well.
"deny capability chown" was initially added for the PID file, see [1]. Failing to chown the PID or the control socket is only logged at higher log level specifically to not generate noise when the chown capability isn't available, see [2,3]. The "capability fowner" was removed based on [4].
Currently, the unbound control socket is only accessible to root requiring one to use "sudo unbound-control" (aka the bug at hand):
$ ll /run/unbound.ctl
srw-rw---- 1 root root 0 Feb 23 18:40 /run/unbound.ctl=
Re-introducing the chown/fowner caps would give us:
$ ll /run/unbound.ctl
srw-rw---- 1 unbound unbound 0 Feb 23 18:38 /run/unbound.ctl=
which would fix the bug at the expense of those additional caps.
I'd vote in favor of re-introducing the capability for the sake of not having Apparmor "getting in the way". If that's OK with everyone, I'd send the patch to Debian as well.
1: https:/ /code.launchpad .net/~sdeziel/ apparmor- profiles/ unbound- refresh/ +merge/ 282230 /www.nlnetlabs. nl/bugs- script/ show_bug. cgi?id= 734 /www.nlnetlabs. nl/bugs- script/ show_bug. cgi?id= 1332 /lists. ubuntu. com/archives/ apparmor/ 2016-January/ 009278. html
2: https:/
3: https:/
4: https:/