[Pkg-dns-devel] Bug#790392: unbound chroot accumulates old files
Robert Edmonds
edmonds at debian.org
Sat Dec 12 22:08:59 UTC 2015
Simon Deziel wrote:
> The chroot directory can accumulate old files that were deleted from
> /etc/unbound. With the automatic inclusion of
> /etc/unbound/unbound.conf.d, accumulating remnant files in there can
> cause bugs that are hard to track.
>
> Steps to reproduce:
>
> 0) edit unbound.conf to add chroot: "/var/lib/unbound"
> 1) sudo touch /etc/unbound/foo
> 2) sudo service unbound restart
> 3) [ -e /var/lib/unbound/etc/unbound/foo ] && echo CORRECT
> 4) sudo rm /etc/unbound/foo
> 5) sudo service unbound restart
> 6) [ -e /var/lib/unbound/etc/unbound/foo ] && echo WRONG
>
>
> The "foo" file shouldn't be in the chroot after step 5).
>
> The attached patch ensures the configs are purged from the chroot. It
> also changes how $CHROOT_DIR is set to avoid parsing problems with vim.
>
> Regards,
> Simon
> --- /etc/init.d/unbound.orig 2015-06-28 13:38:39.604171157 -0400
> +++ /etc/init.d/unbound 2015-06-28 15:51:07.843960078 -0400
> @@ -21,7 +21,7 @@
> UNBOUND_ENABLE=true
> UNBOUND_CONF=/etc/unbound/unbound.conf
> UNBOUND_BASE_DIR=$(dirname $UNBOUND_CONF)
> -CHROOT_DIR=$(awk '{if ($1 ~ "^chroot" && $2 != "\"\"") print $2}' $UNBOUND_CONF|sed -e "s#\"##g")
> +CHROOT_DIR=$(awk '{if ($1 ~ "^chroot" && $2 != "\"\"") print $2}' $UNBOUND_CONF|sed 's/"//g')
> ROOT_TRUST_ANCHOR_UPDATE=false
> ROOT_TRUST_ANCHOR_FILE=/var/lib/unbound/root.key
> RESOLVCONF=false
> @@ -93,8 +93,9 @@
>
> do_chroot_setup() {
> if [ -d "$CHROOT_DIR" -a "$CHROOT_DIR" != "$UNBOUND_BASE_DIR" ]; then
> + rm -rf $CHROOT_DIR/$UNBOUND_BASE_DIR && mkdir -p $CHROOT_DIR/$UNBOUND_BASE_DIR
> cd /
> - tar --overwrite -cf - $(echo $UNBOUND_BASE_DIR | sed 's#^/##') | (cd $CHROOT_DIR && tar -xf -)
> + tar -cf - $(echo $UNBOUND_BASE_DIR | sed 's/^\///') | (cd $CHROOT_DIR && tar -xf -)
> fi
> }
Hi, Simon:
The chroot directory might be configured by a file in
/etc/unbound/unbound.conf.d/*.conf, rather than in the main unbound.conf
file.
What do you think of setting UNBOUND_CONF like this instead?
CHROOT_DIR="$(unbound-checkconf -o chroot)"
--
Robert Edmonds
edmonds at debian.org
More information about the pkg-dns-devel
mailing list