diff options
Diffstat (limited to '')
-rw-r--r-- | external/unbound/contrib/README | 2 | ||||
-rw-r--r-- | external/unbound/contrib/unbound.spec_fedora | 7 | ||||
-rw-r--r-- | external/unbound/contrib/unbound_unixsock.diff | 305 |
3 files changed, 0 insertions, 314 deletions
diff --git a/external/unbound/contrib/README b/external/unbound/contrib/README index 34c8cc46a..8eae9b5b7 100644 --- a/external/unbound/contrib/README +++ b/external/unbound/contrib/README @@ -15,8 +15,6 @@ distribution but may be helpful. a local-zone and local-data include file for unbound.conf. * unbound-host.nagios.patch: makes unbound-host return status that fits right in with the nagios monitoring framework. Contributed by Migiel de Vos. -* unbound_unixsock.diff: Add Unix socket support for unbound-control. - Contributed by Ilya Bakulin, 2012-08-28. * patch_rsamd5_enable.diff: this patch enables RSAMD5 validation (otherwise it is treated as insecure). The RSAMD5 algorithm is deprecated (RFC6725). * create_unbound_ad_servers.sh: shell script to enter anti-ad server lists. diff --git a/external/unbound/contrib/unbound.spec_fedora b/external/unbound/contrib/unbound.spec_fedora index 6e02a0964..f8b2e7512 100644 --- a/external/unbound/contrib/unbound.spec_fedora +++ b/external/unbound/contrib/unbound.spec_fedora @@ -18,7 +18,6 @@ Source2: unbound.conf Source3: unbound.munin Source4: unbound_munin_ Source5: root.key -Source6: dlv.isc.org.key Patch1: unbound-1.2-glob.patch Group: System Environment/Daemons @@ -140,7 +139,6 @@ rm -rf ${RPM_BUILD_ROOT} %attr(0755,root,root) %dir %{_sysconfdir}/%{name} %ghost %attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name} %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key %{_sbindir}/* %{_mandir}/*/* @@ -178,11 +176,6 @@ exit 0 %post /sbin/chkconfig --add %{name} -# dnssec-conf used to contain our DLV key, but now we include it via unbound -# If unbound had previously been configured with dnssec-configure, we need -# to migrate the location of the DLV key file (to keep DLV enabled, and because -# unbound won't start with a bad location for a DLV key file. -sed -i "s:/etc/pki/dnssec-keys[/]*dlv:/etc/unbound:" %{_sysconfdir}/unbound/unbound.conf %post libs -p /sbin/ldconfig diff --git a/external/unbound/contrib/unbound_unixsock.diff b/external/unbound/contrib/unbound_unixsock.diff deleted file mode 100644 index 09d05d392..000000000 --- a/external/unbound/contrib/unbound_unixsock.diff +++ /dev/null @@ -1,305 +0,0 @@ -diff --git a/daemon/remote.c b/daemon/remote.c -index a2b2204..b6990f3 100644 ---- a/daemon/remote.c -+++ b/daemon/remote.c -@@ -81,6 +81,11 @@ - #ifdef HAVE_NETDB_H - #include <netdb.h> - #endif -+#ifdef HAVE_PWD_H -+#include <pwd.h> -+#include <sys/stat.h> -+#include <fcntl.h> -+#endif - - /* just for portability */ - #ifdef SQ -@@ -235,7 +240,8 @@ void daemon_remote_delete(struct daemon_remote* rc) - * @return false on failure. - */ - static int --add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err) -+add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err, -+ struct config_file* cfg) - { - struct addrinfo hints; - struct addrinfo* res; -@@ -246,29 +252,74 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err) - snprintf(port, sizeof(port), "%d", nr); - port[sizeof(port)-1]=0; - memset(&hints, 0, sizeof(hints)); -- hints.ai_socktype = SOCK_STREAM; -- hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; -- if((r = getaddrinfo(ip, port, &hints, &res)) != 0 || !res) { --#ifdef USE_WINSOCK -- if(!noproto_is_err && r == EAI_NONAME) { -- /* tried to lookup the address as name */ -- return 1; /* return success, but do nothing */ -+ -+ if(ip[0] == '/') { -+ /* This looks like UNIX socket! */ -+ fd = create_domain_accept_sock(ip); -+/* -+ * When unbound starts, it first creates a socket and then -+ * drops privs, so the socket is created as root user. -+ * This is fine, but we would like to set _unbound user group -+ * for this socket, and permissions should be 0660 so only -+ * root and _unbound group members can invoke unbound-control. -+ * The username used here is the same as username that unbound -+ * uses for its worker processes. -+ */ -+ -+/* -+ * Note: this code is an exact copy of code from daemon.c -+ * Normally this should be either wrapped into a function, -+ * or gui/gid values should be retrieved at config parsing time -+ * and then stored in configfile structure. -+ * This requires action from unbound developers! -+*/ -+#ifdef HAVE_GETPWNAM -+ struct passwd *pwd = NULL; -+ uid_t uid; -+ gid_t gid; -+ /* initialize, but not to 0 (root) */ -+ memset(&uid, 112, sizeof(uid)); -+ memset(&gid, 112, sizeof(gid)); -+ log_assert(cfg); -+ -+ if(cfg->username && cfg->username[0]) { -+ if((pwd = getpwnam(cfg->username)) == NULL) -+ fatal_exit("user '%s' does not exist.", -+ cfg->username); -+ uid = pwd->pw_uid; -+ gid = pwd->pw_gid; -+ endpwent(); - } -+ -+ chown(ip, 0, gid); -+ chmod(ip, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); -+#endif -+ } else { -+ hints.ai_socktype = SOCK_STREAM; -+ hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; -+ if((r = getaddrinfo(ip, port, &hints, &res)) != 0 || !res) { -+#ifdef USE_WINSOCK -+ if(!noproto_is_err && r == EAI_NONAME) { -+ /* tried to lookup the address as name */ -+ return 1; /* return success, but do nothing */ -+ } - #endif /* USE_WINSOCK */ -- log_err("control interface %s:%s getaddrinfo: %s %s", -- ip?ip:"default", port, gai_strerror(r), -+ log_err("control interface %s:%s getaddrinfo: %s %s", -+ ip?ip:"default", port, gai_strerror(r), - #ifdef EAI_SYSTEM - r==EAI_SYSTEM?(char*)strerror(errno):"" - #else - "" - #endif - ); -- return 0; -+ return 0; -+ } -+ -+ /* open fd */ -+ fd = create_tcp_accept_sock(res, 1, &noproto); -+ freeaddrinfo(res); - } - -- /* open fd */ -- fd = create_tcp_accept_sock(res, 1, &noproto); -- freeaddrinfo(res); - if(fd == -1 && noproto) { - if(!noproto_is_err) - return 1; /* return success, but do nothing */ -@@ -305,7 +356,7 @@ struct listen_port* daemon_remote_open_ports(struct config_file* cfg) - if(cfg->control_ifs) { - struct config_strlist* p; - for(p = cfg->control_ifs; p; p = p->next) { -- if(!add_open(p->str, cfg->control_port, &l, 1)) { -+ if(!add_open(p->str, cfg->control_port, &l, 1, cfg)) { - listening_ports_free(l); - return NULL; - } -@@ -313,12 +364,12 @@ struct listen_port* daemon_remote_open_ports(struct config_file* cfg) - } else { - /* defaults */ - if(cfg->do_ip6 && -- !add_open("::1", cfg->control_port, &l, 0)) { -+ !add_open("::1", cfg->control_port, &l, 0, cfg)) { - listening_ports_free(l); - return NULL; - } - if(cfg->do_ip4 && -- !add_open("127.0.0.1", cfg->control_port, &l, 1)) { -+ !add_open("127.0.0.1", cfg->control_port, &l, 1, cfg)) { - listening_ports_free(l); - return NULL; - } -diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c -index ea7ec3a..4cb04e2 100644 ---- a/services/listen_dnsport.c -+++ b/services/listen_dnsport.c -@@ -55,6 +55,10 @@ - #endif - #include <fcntl.h> - -+#ifndef USE_WINSOCK -+#include <sys/un.h> -+#endif -+ - /** number of queued TCP connections for listen() */ - #define TCP_BACKLOG 5 - -@@ -376,6 +380,53 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr, - } - - int -+create_domain_accept_sock(char *path) { -+ int s; -+ struct sockaddr_un unixaddr; -+ -+#ifndef USE_WINSOCK -+ unixaddr.sun_len = sizeof(unixaddr); -+ unixaddr.sun_family = AF_UNIX; -+ strlcpy(unixaddr.sun_path, path, 104); -+ -+ if((s = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) { -+ log_err("Cannot create UNIX socket %s (%s)", -+ path, strerror(errno)); -+ return -1; -+ } -+ -+ if(unlink(path) && errno != ENOENT) { -+ /* The socket already exists and cannot be removed */ -+ log_err("Cannot remove old UNIX socket %s (%s)", -+ path, strerror(errno)); -+ return -1; -+ } -+ -+ if(bind(s, (struct sockaddr *) &unixaddr, -+ sizeof(struct sockaddr_un)) == -1) { -+ log_err("Cannot bind UNIX socket %s (%s)", -+ path, strerror(errno)); -+ return -1; -+ } -+ -+ if(!fd_set_nonblock(s)) { -+ log_err("Cannot set non-blocking mode"); -+ return -1; -+ } -+ -+ if(listen(s, TCP_BACKLOG) == -1) { -+ log_err("can't listen: %s", strerror(errno)); -+ return -1; -+ } -+ -+ return s; -+#else -+ log_err("UNIX sockets are not supported"); -+ return -1; -+#endif -+} -+ -+int - create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto) - { - int s; -diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c -index a872f92..10631fd 100644 ---- a/smallapp/unbound-control.c -+++ b/smallapp/unbound-control.c -@@ -59,6 +59,8 @@ - #include "util/locks.h" - #include "util/net_help.h" - -+#include <sys/un.h> -+ - /** Give unbound-control usage, and exit (1). */ - static void - usage() -@@ -158,6 +160,7 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd) - { - struct sockaddr_storage addr; - socklen_t addrlen; -+ int addrfamily = 0; - int fd; - /* use svr or the first config entry */ - if(!svr) { -@@ -176,12 +179,21 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd) - if(strchr(svr, '@')) { - if(!extstrtoaddr(svr, &addr, &addrlen)) - fatal_exit("could not parse IP@port: %s", svr); -+ } else if(svr[0] == '/') { -+ struct sockaddr_un* unixsock = (struct sockaddr_un *) &addr; -+ unixsock->sun_family = AF_UNIX; -+ unixsock->sun_len = sizeof(unixsock); -+ strlcpy(unixsock->sun_path, svr, 104); -+ addrlen = sizeof(struct sockaddr_un); -+ addrfamily = AF_UNIX; - } else { - if(!ipstrtoaddr(svr, cfg->control_port, &addr, &addrlen)) - fatal_exit("could not parse IP: %s", svr); - } -- fd = socket(addr_is_ip6(&addr, addrlen)?AF_INET6:AF_INET, -- SOCK_STREAM, 0); -+ -+ if(addrfamily != AF_UNIX) -+ addrfamily = addr_is_ip6(&addr, addrlen)?AF_INET6:AF_INET; -+ fd = socket(addrfamily, SOCK_STREAM, 0); - if(fd == -1) { - #ifndef USE_WINSOCK - fatal_exit("socket: %s", strerror(errno)); -diff --git a/util/net_help.c b/util/net_help.c -index b3136a3..5b5b4a3 100644 ---- a/util/net_help.c -+++ b/util/net_help.c -@@ -45,6 +45,7 @@ - #include "util/module.h" - #include "util/regional.h" - #include <fcntl.h> -+#include <sys/un.h> - #include <openssl/ssl.h> - #include <openssl/err.h> - -@@ -135,7 +136,7 @@ log_addr(enum verbosity_value v, const char* str, - { - uint16_t port; - const char* family = "unknown"; -- char dest[100]; -+ char dest[108]; - int af = (int)((struct sockaddr_in*)addr)->sin_family; - void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr; - if(verbosity < v) -@@ -148,15 +149,23 @@ log_addr(enum verbosity_value v, const char* str, - case AF_UNIX: family="unix"; break; - default: break; - } -- if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) { -- strncpy(dest, "(inet_ntop error)", sizeof(dest)); -+ -+ if(af != AF_UNIX) { -+ if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) { -+ strncpy(dest, "(inet_ntop error)", sizeof(dest)); -+ } -+ dest[sizeof(dest)-1] = 0; -+ port = ntohs(((struct sockaddr_in*)addr)->sin_port); -+ if(verbosity >= 4) -+ verbose(v, "%s %s %s port %d (len %d)", str, family, -+ dest, (int)port, (int)addrlen); -+ else verbose(v, "%s %s port %d", str, dest, (int)port); -+ } else { -+ struct sockaddr_un* unixsock; -+ unixsock = (struct sockaddr_un *) addr; -+ strlcpy(dest, unixsock->sun_path, sizeof(dest)); -+ verbose(v, "%s %s %s", str, family, dest); - } -- dest[sizeof(dest)-1] = 0; -- port = ntohs(((struct sockaddr_in*)addr)->sin_port); -- if(verbosity >= 4) -- verbose(v, "%s %s %s port %d (len %d)", str, family, dest, -- (int)port, (int)addrlen); -- else verbose(v, "%s %s port %d", str, dest, (int)port); - } - - int |