From 8b919a37805e4484de8addb1adb6e294527edbea Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Mon, 24 Nov 2008 10:55:14 +0000
Subject: [PATCH] Updated documentation for key user privileges.

git-svn-id: file:///svn/unbound/trunk@1372 be551aaa-1e26-0410-a405-d3ace91eadb9
---
 doc/Changelog                     | 7 +++++++
 doc/unbound-control.8.in          | 8 ++++++++
 smallapp/unbound-control-setup.sh | 2 ++
 3 files changed, 17 insertions(+)

diff --git a/doc/Changelog b/doc/Changelog
index 7d6bf888a..8856eb7d3 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,10 @@
+24 November 2008: Wouter
+	- document that the user of the server daemon needs read privileges
+	  on the keys and certificates generated by unbound-control-setup.
+	  This is different per system or distribution, usually, running the
+	  script under the same username as the server uses suffices.
+	  i.e.  sudo -u unbound unbound-control-setup
+
 21 November 2008: Wouter
 	- fixed tcp accept, errors were printed when they should not.
 	- unbound-control-setup.sh removes read/write permissions other
diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in
index f05f76a07..999453477 100644
--- a/doc/unbound-control.8.in
+++ b/doc/unbound-control.8.in
@@ -117,6 +117,14 @@ The unbound-control program exits with status code 1 on error, 0 on success.
 The setup requires a self\-signed certificate and private keys for both 
 the server and client.  The script \fIunbound\-control\-setup\fR generates
 these in the default run directory, or with \-d in another directory.
+Run the script under the same username as you have configured in unbound.conf
+so that the daemon is permitted to read the files, for example with:
+.nf
+    sudo \-u unbound unbound\-control\-setup
+.fi
+If you have not configured
+a username in unbound.conf, the keys need read permission for the user
+credentials under which the daemon is started.
 The script preserves private keys present in the directory.
 After running the script as root, turn on \fBcontrol-enable\fR in 
 \fIunbound.conf\fR.
diff --git a/smallapp/unbound-control-setup.sh b/smallapp/unbound-control-setup.sh
index ecdc5bb3e..ac584d619 100755
--- a/smallapp/unbound-control-setup.sh
+++ b/smallapp/unbound-control-setup.sh
@@ -74,6 +74,8 @@ while test $# -ne 0; do
 	echo "unbound-control-setup.sh - setup SSL keys for unbound-control"
 	echo "	-d dir	use directory to store keys and certificates."
 	echo "		default: $DESTDIR"
+	echo "please run this command using the same user id that the "
+	echo "unboun daemon uses, it needs read privileges."
 	exit 1
 	;;
 	esac