[Pkg-dns-devel] Bug#816425: Bug#816425: unbound: re-enables upstream forwarding

Robert Edmonds edmonds at debian.org
Tue Mar 1 19:58:51 UTC 2016 

Jakub Wilk wrote:
> After upgrading to 1.5.7-2, unbound started forwarding queries to upstream
> nameservers, despite the fact that I had RESOLVCONF_FORWARDERS=false in
> /etc/unbound/unbound.
> 
> The NEWS file says that the resolvconf hook is disabled by default, and that
> you need to chmod +x the hook to enable it, but even though I didn't chmod
> anything I have:
> 
> $ ls -l /etc/resolvconf/update.d/unbound
> -rwxr-xr-x 1 root root 661 Feb 22 01:37 /etc/resolvconf/update.d/unbound

Hi, Jakub:

Thanks for the bug report, and apologies for the regression.

In unbound 1.5.7-2, a new version of the conffile
/etc/resolvconf/update.d/unbound was shipped, and the perms went from
0755 to 0644:

    $ debdiff unbound_1.5.7-1_amd64.deb unbound_1.5.7-2_amd64.deb 
    [The following lists of changes regard files as different if they have
    different names, permissions or owners.]

    Files in second .deb but not in first
    -------------------------------------
    -rw-r--r--  root/root   /etc/resolvconf/update.d/unbound
    [...]

    Files in first .deb but not in second
    -------------------------------------
    [...]
    -rwxr-xr-x  root/root   /etc/resolvconf/update.d/unbound

I just tested an upgrade from 1.5.7-1 to 1.5.7-2. dpkg says:

    Installing new version of config file /etc/resolvconf/update.d/unbound ...

But it keeps the permission bits of the old version of the conffile
(even though I didn't touch them), which is surprising. A new install of
1.5.7-2 uses the permissions shipped in the package, though.

I'm not entirely sure what the correct way is to migrate the permissions
on a conffile on an upgrade. Do we maybe need something like this in the
preinst?

    # XXX: Check if upgrading from a version less than 1.5.7-2~, then do:
    if [ -f /etc/default/unbound ]; then
        . /etc/default/unbound
        case "x$RESOLVCONF" in xfalse|x0|xno)
            RESOLVCONF="false"
        *)
            RESOLVCONF="true"
        esac

        if ! $RESOLVCONF; then
            if [ -f /etc/resolvconf/update.d/unbound ]; then
                chmod -x /etc/resolvconf/update.d/unbound || true
            fi
        fi
    fi

That doesn't help for upgrades from 1.5.7-2, since /etc/default/unbound
will no longer exist. (Maybe we could specially check
/etc/default/unbound.dpkg-bak for upgrades from 1.5.7-2? Ugh.)

Any thoughts?

-- 
Robert Edmonds
edmonds at debian.org

More information about the pkg-dns-devel mailing list