[Pkg-dns-devel] Bug#790392: unbound chroot accumulates old files

Robert Edmonds edmonds at debian.org
Sat Dec 12 22:08:59 UTC 2015 

Simon Deziel wrote:
> The chroot directory can accumulate old files that were deleted from
> /etc/unbound. With the automatic inclusion of
> /etc/unbound/unbound.conf.d, accumulating remnant files in there can
> cause bugs that are hard to track.
> 
> Steps to reproduce:
> 
> 0) edit unbound.conf to add chroot: "/var/lib/unbound"
> 1) sudo touch /etc/unbound/foo
> 2) sudo service unbound restart
> 3) [ -e /var/lib/unbound/etc/unbound/foo ] && echo CORRECT
> 4) sudo rm /etc/unbound/foo
> 5) sudo service unbound restart
> 6) [ -e /var/lib/unbound/etc/unbound/foo ] && echo WRONG
> 
> 
> The "foo" file shouldn't be in the chroot after step 5).
> 
> The attached patch ensures the configs are purged from the chroot. It
> also changes how $CHROOT_DIR is set to avoid parsing problems with vim.
> 
> Regards,
> Simon

> --- /etc/init.d/unbound.orig	2015-06-28 13:38:39.604171157 -0400
> +++ /etc/init.d/unbound	2015-06-28 15:51:07.843960078 -0400
> @@ -21,7 +21,7 @@
>  UNBOUND_ENABLE=true
>  UNBOUND_CONF=/etc/unbound/unbound.conf
>  UNBOUND_BASE_DIR=$(dirname $UNBOUND_CONF)
> -CHROOT_DIR=$(awk '{if ($1 ~ "^chroot" && $2 != "\"\"") print $2}' $UNBOUND_CONF|sed -e "s#\"##g")
> +CHROOT_DIR=$(awk '{if ($1 ~ "^chroot" && $2 != "\"\"") print $2}' $UNBOUND_CONF|sed 's/"//g')
>  ROOT_TRUST_ANCHOR_UPDATE=false
>  ROOT_TRUST_ANCHOR_FILE=/var/lib/unbound/root.key
>  RESOLVCONF=false
> @@ -93,8 +93,9 @@
>  
>  do_chroot_setup() {
>      if [ -d "$CHROOT_DIR" -a "$CHROOT_DIR" != "$UNBOUND_BASE_DIR" ]; then
> +        rm -rf $CHROOT_DIR/$UNBOUND_BASE_DIR && mkdir -p $CHROOT_DIR/$UNBOUND_BASE_DIR
>          cd /
> -        tar --overwrite -cf - $(echo $UNBOUND_BASE_DIR | sed 's#^/##') | (cd $CHROOT_DIR && tar -xf -)
> +        tar -cf - $(echo $UNBOUND_BASE_DIR | sed 's/^\///') | (cd $CHROOT_DIR && tar -xf -)
>      fi
>  }

Hi, Simon:

The chroot directory might be configured by a file in
/etc/unbound/unbound.conf.d/*.conf, rather than in the main unbound.conf
file.

What do you think of setting UNBOUND_CONF like this instead?

    CHROOT_DIR="$(unbound-checkconf -o chroot)"

-- 
Robert Edmonds
edmonds at debian.org

More information about the pkg-dns-devel mailing list