mirror of
https://github.com/NLnetLabs/unbound.git
synced 2025-12-20 23:00:56 -05:00
chroot checks for roothints and anchor files.
git-svn-id: file:///svn/unbound/trunk@910 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards
parent
be483a3bfb
commit
0e1b3fb3e0
5 changed files with 49 additions and 3 deletions
|
|
@ -1,3 +1,7 @@
|
|||
29 January 2008: Wouter
|
||||
- check trailing / on chrootdir in checkconf.
|
||||
- check if root hints and anchor files are in chrootdir.
|
||||
|
||||
28 January 2008: Wouter
|
||||
- fixup uninit use of buffer by libunbound (query id, flags) for
|
||||
local_zone answers.
|
||||
|
|
|
|||
|
|
@ -403,7 +403,12 @@ read_root_hints_list(struct iter_hints* hints, struct config_file* cfg)
|
|||
for(p = cfg->root_hints; p; p = p->next) {
|
||||
log_assert(p->str);
|
||||
if(p->str && p->str[0]) {
|
||||
if(!read_root_hints(hints, p->str))
|
||||
char* f = p->str;
|
||||
if(cfg->chrootdir && cfg->chrootdir[0] &&
|
||||
strncmp(p->str, cfg->chrootdir,
|
||||
strlen(cfg->chrootdir)) == 0)
|
||||
f += strlen(cfg->chrootdir);
|
||||
if(!read_root_hints(hints, f))
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -171,6 +171,22 @@ aclchecks(struct config_file* cfg)
|
|||
}
|
||||
}
|
||||
|
||||
/** check file list, every file must be inside the chroot location */
|
||||
static void
|
||||
check_chroot_filelist(const char* desc, struct config_strlist* list,
|
||||
const char* chrootdir)
|
||||
{
|
||||
struct config_strlist* p;
|
||||
if(!chrootdir) return;
|
||||
for(p=list; p; p=p->next) {
|
||||
if(p->str && p->str[0] && strncmp(chrootdir, p->str,
|
||||
strlen(chrootdir)) != 0) {
|
||||
fatal_exit("%s: \"%s\" not in chrootdir %s",
|
||||
desc, p->str, chrootdir);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/** check configuration for errors */
|
||||
static void
|
||||
morechecks(struct config_file* cfg)
|
||||
|
|
@ -189,6 +205,10 @@ morechecks(struct config_file* cfg)
|
|||
if(!cfg->do_udp && !cfg->do_tcp)
|
||||
fatal_exit("udp and tcp are both disabled, pointless");
|
||||
|
||||
if(cfg->chrootdir && cfg->chrootdir[0] &&
|
||||
cfg->chrootdir[strlen(cfg->chrootdir)-1] == '/')
|
||||
fatal_exit("chootdir %s has trailing slash '/' please remove.",
|
||||
cfg->chrootdir);
|
||||
if(cfg->chrootdir && strncmp(cfg->chrootdir, cfg->directory,
|
||||
strlen(cfg->chrootdir)) != 0)
|
||||
fatal_exit("working directory %s not in chrootdir %s",
|
||||
|
|
@ -203,6 +223,12 @@ morechecks(struct config_file* cfg)
|
|||
strlen(cfg->chrootdir)) != 0)
|
||||
fatal_exit("log file %s not in chrootdir %s",
|
||||
cfg->logfile, cfg->chrootdir);
|
||||
check_chroot_filelist("file with root-hints",
|
||||
cfg->root_hints, cfg->chrootdir);
|
||||
check_chroot_filelist("trust-anchor-file",
|
||||
cfg->trust_anchor_file_list, cfg->chrootdir);
|
||||
check_chroot_filelist("trusted-keys-file",
|
||||
cfg->trusted_keys_file_list, cfg->chrootdir);
|
||||
|
||||
if(strcmp(cfg->module_conf, "iterator") != 0 &&
|
||||
strcmp(cfg->module_conf, "validator iterator") != 0) {
|
||||
|
|
|
|||
|
|
@ -148,6 +148,8 @@ struct config_file* config_create_forlib()
|
|||
struct config_file* cfg = config_create();
|
||||
if(!cfg) return NULL;
|
||||
/* modifications for library use, less verbose, less memory */
|
||||
free(cfg->chrootdir);
|
||||
cfg->chrootdir = NULL;
|
||||
cfg->verbosity = 0;
|
||||
cfg->outgoing_num_tcp = 2;
|
||||
cfg->msg_cache_size = 1024*1024;
|
||||
|
|
|
|||
|
|
@ -750,11 +750,16 @@ int
|
|||
anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg)
|
||||
{
|
||||
struct config_strlist* f;
|
||||
char* nm;
|
||||
ldns_buffer* parsebuf = ldns_buffer_new(65535);
|
||||
for(f = cfg->trust_anchor_file_list; f; f = f->next) {
|
||||
if(!f->str || f->str[0] == 0) /* empty "" */
|
||||
continue;
|
||||
if(!anchor_read_file(anchors, parsebuf, f->str)) {
|
||||
nm = f->str;
|
||||
if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm,
|
||||
cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
|
||||
nm += strlen(cfg->chrootdir);
|
||||
if(!anchor_read_file(anchors, parsebuf, nm)) {
|
||||
log_err("error reading trust-anchor-file: %s", f->str);
|
||||
ldns_buffer_free(parsebuf);
|
||||
return 0;
|
||||
|
|
@ -763,7 +768,11 @@ anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg)
|
|||
for(f = cfg->trusted_keys_file_list; f; f = f->next) {
|
||||
if(!f->str || f->str[0] == 0) /* empty "" */
|
||||
continue;
|
||||
if(!anchor_read_bind_file(anchors, parsebuf, f->str)) {
|
||||
nm = f->str;
|
||||
if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm,
|
||||
cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
|
||||
nm += strlen(cfg->chrootdir);
|
||||
if(!anchor_read_bind_file(anchors, parsebuf, nm)) {
|
||||
log_err("error reading trusted-keys-file: %s", f->str);
|
||||
ldns_buffer_free(parsebuf);
|
||||
return 0;
|
||||
|
|
|
|||
Loading…
Reference in a new issue