upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-27 18:20:02 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
5068 commits 23 branches 209 tags 124 MiB
Commit graph

138 commits

Author SHA1 Message Date
sam-lunt
6943cab670
Add kill capability to systemd service file 
The ExecReload command calls kills on a process owned by the unbound user (or whatever user is configured). To do so, it needs the CAP_KILL capability.
 2019-09-21 14:36:12 -05:00
Maryse47
acdd4058d2
unbound.service.in: do not fork into the background 
This is needed when unbound config doesn't set "do-daemonize: no" by itself otherwise starting service fails with:
 systemd[1]: unbound.service: Got notification message from PID <PID>, but reception only permitted for main PID which is currently not known

https://github.com/NLnetLabs/unbound/blob/release-1.9.3/doc/example.conf.in#L236
 2019-09-20 10:07:37 +00:00
Wouter Wijngaards
e1e71eac3e
Merge pull request #81 from Maryse47/urandom 
Consistently use /dev/urandom instead of /dev/random in scripts and docs
 2019-09-20 07:44:22 +02:00
Pascal Ernster
ae2d5276d2
Downgrade CAP_NET_ADMIN to CAP_NET_RAW in unbound.service 
Since kernel 3.2, CAP_NET_RAW instead of CAP_NET_ADMIN is sufficient to allow for the usage of the IP_TRANSPARENT socket option. CAP_NET_ADMIN allows far more mayhem then CAP_NET_RAW, so prefer the safer, more restrictive solution.
 2019-09-20 04:47:56 +00:00
Maryse47
ce0e9bef45 Consistently use /dev/urandom instead of /dev/random in scripts and docs 
Unbound code call /dev/urandom (see below)  but various docs and scripts
mention /dev/random which may be confusing.

https://github.com/NLnetLabs/unbound/blob/release-1.9.3/compat/arc4random.c#L107
https://github.com/NLnetLabs/unbound/blob/release-1.9.3/compat/getentropy_linux.c#L251
https://github.com/NLnetLabs/unbound/blob/release-1.9.3/compat/getentropy_osx.c
https://github.com/NLnetLabs/unbound/blob/release-1.9.3/compat/getentropy_solaris.c#L116
 2019-09-19 17:40:49 +02:00
Maryse47
ff8fd0be5c Improvements and fixes for systemd unbound.service 
1. Remove `ProtectKernelTunables=true`: This prevents various with socket options from working as shown below.
`unbound[] warning: so-rcvbuf 1048576 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.`

2. Add `CAP_NET_ADMIN` to available caps which is needed for `ip-transparent: yes` config option to work as shown below.
`unbound[] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted`

3. Make `ReadWritePaths` less permissive: `UNBOUND_SYSCONF_DIR` equals to `sysconfdir` which usually equals to `/etc` and `UNBOUND_LOCALSTATE_DIR` equals to `localstatedir` which usually equals to `/var`. Allowing write access for those dirs shouldn't be needed. The only dirs unbound should be allow to write to are `/run` ( for pidfile), `@UNBOUND_RUN_DIR@` (for chroot) and `@UNBOUND_CHROOT_DIR@` in case it differs from the previous one.

4. Bind-mount `/run/systemd/notify`, `UNBOUND_PIDFILE`, `/dev/log`, `/dev/urandom` in order to use them inside chroot.

5. Add few extra hardening options: `RestrictNamespaces`, `LockPersonality` and `RestrictSUIDSGID` should be safe to use.
 2019-09-18 21:48:12 +02:00
W.C.A. Wijngaards
a374dfb669 - Fix contrib/fastrpz.patch asprintf return value checks. 2019-08-23 08:41:46 +02:00
W.C.A. Wijngaards
e35d5f5a2d delete duplicate file. 2019-08-22 13:32:34 +02:00
W.C.A. Wijngaards
334e2b1e35 updated fastrpz.patch to apply cleanly. 2019-08-22 13:31:09 +02:00
W.C.A. Wijngaards
c602ba7319 - Fixup contrib/fastrpz.patch 2019-08-16 12:37:13 +02:00
W.C.A. Wijngaards
f46c238552 - contrib/fastrpz.patch updated for code changes, and with git diff. 2019-05-02 11:17:41 +02:00
Wouter Wijngaards
33a814683b - Fix #14: contrib/unbound.init: Fix wrong comparison judgment 
before copying.


git-svn-id: file:///svn/unbound/trunk@5124 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-02-27 06:58:10 +00:00
Wouter Wijngaards
8fffdca2a6 - Set ub_ctx_set_tls call signature in ltrace config file for 
libunbound in contrib/libunbound.so.conf.


git-svn-id: file:///svn/unbound/trunk@5090 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-31 09:16:15 +00:00
Wouter Wijngaards
b005fcd87b - updated contrib/fastrpz.patch to cleanly diff. 
git-svn-id: file:///svn/unbound/trunk@5075 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-25 12:50:45 +00:00
Wouter Wijngaards
ec84fd2ca6 - Add contrib/unbound-fuzzme.patch from Jacob Hoffman-Andrews, 
the patch adds a program used for fuzzing.


git-svn-id: file:///svn/unbound/trunk@5028 be551aaa-1e26-0410-a405-d3ace91eadb9
 2019-01-07 15:01:24 +00:00
Wouter Wijngaards
f95f98b12a - Update contrib fastrpz patch for latest release. 
git-svn-id: file:///svn/unbound/trunk@4988 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-11-27 15:47:52 +00:00
Wouter Wijngaards
83a186f6cc Remove unused diagnostic pragmas that themselves generate warnings 
git-svn-id: file:///svn/unbound/trunk@4927 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-10-02 12:17:11 +00:00
Wouter Wijngaards
2598f9bb18 line fixup 
git-svn-id: file:///svn/unbound/trunk@4926 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-10-02 12:13:19 +00:00
Wouter Wijngaards
ba28c48efc Remove unused variable from contrib fastrpz/rpz.c 
git-svn-id: file:///svn/unbound/trunk@4925 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-10-02 12:12:29 +00:00
Wouter Wijngaards
98234d1017 - updated contrib/fastrpz.patch to apply for this version 
git-svn-id: file:///svn/unbound/trunk@4924 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-10-02 12:00:06 +00:00
Wouter Wijngaards
966a958ca5 Fixup fastrpz.patch 
git-svn-id: file:///svn/unbound/trunk@4920 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-10-02 10:34:00 +00:00
Wouter Wijngaards
00982fc3db - Fixed unused return value warnings in contrib/fastrpz.patch for 
asprintf.


git-svn-id: file:///svn/unbound/trunk@4891 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-09-11 13:19:55 +00:00
Wouter Wijngaards
f2b12c0761 - Fix contrib/fastrpz.patch. 
git-svn-id: file:///svn/unbound/trunk@4856 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-16 10:29:00 +00:00
Wouter Wijngaards
070019c9be - Fix #4142: unbound.service.in: improvements and fixes. 
Add unit dependency ordering (based on systemd-resolved).
  Add 'CAP_SYS_RESOURCE' to 'CapabilityBoundingSet' (fixes warnings
  about missing privileges during startup). Add 'AF_INET6' to
  'RestrictAddressFamilies' (without it IPV6 can't work). From
  Guido Shanahan.


git-svn-id: file:///svn/unbound/trunk@4834 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-08-07 08:30:22 +00:00
Wouter Wijngaards
bca54a8b25 - Patch, do not export python from pkg-config, from Petr Menšík. 
git-svn-id: file:///svn/unbound/trunk@4758 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-06-27 06:07:31 +00:00
Wouter Wijngaards
f64a897cbc - Fix contrib/libunbound.pc for libssl libcrypto references, 
from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226914


git-svn-id: file:///svn/unbound/trunk@4682 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-05-11 11:52:19 +00:00
Wouter Wijngaards
a55df65bc9 - Fix contrib/fastrpz.patch for this release. 
git-svn-id: file:///svn/unbound/trunk@4659 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-04-24 14:26:21 +00:00
Wouter Wijngaards
e784758a21 - Add --with-libhiredis, unbound support for a new cached backend 
that uses a Redis server as the storage.  This implementation
  depends on the hiredis client library (https://redislabs.com/lp/hiredis/).
  And unbound should be built with both --enable-cachedb and
  --with-libhiredis[=PATH] (where $PATH/include/hiredis/hiredis.h
  should exist).  Patch from Jinmei Tatuya (Infoblox).


git-svn-id: file:///svn/unbound/trunk@4586 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-03-15 12:33:51 +00:00
Wouter Wijngaards
a5fbb38fe2 - Attempt to remove warning about trailing whitespace. 
git-svn-id: file:///svn/unbound/trunk@4569 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-03-07 08:52:49 +00:00
Wouter Wijngaards
3a69cf5c69 - Fixed contrib/fastrpz.patch, even though this already applied 
cleanly for me, now also for others.


git-svn-id: file:///svn/unbound/trunk@4565 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-03-07 08:32:14 +00:00
Wouter Wijngaards
8de66ab4b8 - Fixup contrib/fastrpz.patch so that it applies. 
git-svn-id: file:///svn/unbound/trunk@4552 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-02-27 10:18:28 +00:00
Wouter Wijngaards
093131438d correct name for libunbound.so.conf 
git-svn-id: file:///svn/unbound/trunk@4451 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-01-25 09:47:09 +00:00
Wouter Wijngaards
603b62fdb5 add semicolon at end of line. 
git-svn-id: file:///svn/unbound/trunk@4450 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-01-25 09:33:24 +00:00
Wouter Wijngaards
ec179380f4 - ltrace.conf file for libunbound in contrib. 
git-svn-id: file:///svn/unbound/trunk@4449 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-01-25 09:31:49 +00:00
Ralph Dolmans
5e4faec554 - Fix #1450: Generate again patch contrib/aaaa-filter-iterator.patch (by Danilo 
G. Baio). 


git-svn-id: file:///svn/unbound/trunk@4358 be551aaa-1e26-0410-a405-d3ace91eadb9
 2017-09-25 12:49:47 +00:00
Wouter Wijngaards
7d17a926ac - Spelling fixes, from Phil Porada. 
git-svn-id: file:///svn/unbound/trunk@4344 be551aaa-1e26-0410-a405-d3ace91eadb9
 2017-09-15 14:29:28 +00:00
Wouter Wijngaards
7a322130d6 - updated contrib/fastrpz.patch to apply with configparser changes. 
git-svn-id: file:///svn/unbound/trunk@4321 be551aaa-1e26-0410-a405-d3ace91eadb9
 2017-08-30 11:12:03 +00:00
Ralph Dolmans
6195229d76 - Added fastrpz patch to contrib 
git-svn-id: file:///svn/unbound/trunk@4241 be551aaa-1e26-0410-a405-d3ace91eadb9
 2017-06-22 12:03:32 +00:00
Ralph Dolmans
6132c9f8d5 - Added redirect-bogus.patch to contrib directory. 
git-svn-id: file:///svn/unbound/trunk@4194 be551aaa-1e26-0410-a405-d3ace91eadb9
 2017-05-26 12:09:38 +00:00
Wouter Wijngaards
6e0ba733f3 - Fix #1265 to use /bin/kill. 
git-svn-id: file:///svn/unbound/trunk@4173 be551aaa-1e26-0410-a405-d3ace91eadb9
 2017-05-18 07:08:55 +00:00
Wouter Wijngaards
0b10c8da28 Fixup with prefix and exec_prefix expanded. 
git-svn-id: file:///svn/unbound/trunk@4172 be551aaa-1e26-0410-a405-d3ace91eadb9
 2017-05-17 15:04:05 +00:00
Wouter Wijngaards
0d271cbb09 - Fix #1265: contrib/unbound.service contains hardcoded path. 
git-svn-id: file:///svn/unbound/trunk@4171 be551aaa-1e26-0410-a405-d3ace91eadb9
 2017-05-17 14:50:10 +00:00
Wouter Wijngaards
4fb762f6e4 - Fix #1229: Systemd service sandboxing, options in wrong sections. 
git-svn-id: file:///svn/unbound/trunk@4078 be551aaa-1e26-0410-a405-d3ace91eadb9
 2017-03-22 07:22:34 +00:00
Wouter Wijngaards
7e6e9a0155 - Fix #1229: Systemd service sandboxing in contrib/unbound.service. 
git-svn-id: file:///svn/unbound/trunk@4032 be551aaa-1e26-0410-a405-d3ace91eadb9
 2017-03-06 15:27:36 +00:00
Wouter Wijngaards
cd7db58ce3 - configure --enable-systemd and lets unbound use systemd sockets if 
you enable use-systemd: yes in unbound.conf.
  Also there are contrib/unbound.socket and contrib/unbound.service:
  systemd files for unbound, install them in /usr/lib/systemd/system.
  Contributed by Sami Kerola and Pavel Odintsov.



git-svn-id: file:///svn/unbound/trunk@3975 be551aaa-1e26-0410-a405-d3ace91eadb9
 2017-01-03 13:43:29 +00:00
Wouter Wijngaards
a6e3ed1025 - patch from Dag-Erling Smorgrav that removes code that relies 
on sbrk().


git-svn-id: file:///svn/unbound/trunk@3934 be551aaa-1e26-0410-a405-d3ace91eadb9
 2016-11-22 15:50:07 +00:00
Wouter Wijngaards
63d4bcde56 - Fix #1117: libunbound.pc sets strange Libs, Libs.private values. 
git-svn-id: file:///svn/unbound/trunk@3889 be551aaa-1e26-0410-a405-d3ace91eadb9
 2016-10-18 13:56:42 +00:00
Wouter Wijngaards
db82fbadc1 - Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile. 
git-svn-id: file:///svn/unbound/trunk@3873 be551aaa-1e26-0410-a405-d3ace91eadb9
 2016-09-29 11:51:14 +00:00
Wouter Wijngaards
ed4aefc59e - Create a pkg-config file for libunbound in contrib. 
git-svn-id: file:///svn/unbound/trunk@3800 be551aaa-1e26-0410-a405-d3ace91eadb9
 2016-06-28 12:04:09 +00:00
Wouter Wijngaards
4f6dcce9e2 Fixup that patch does not try to patch itself. 
git-svn-id: file:///svn/unbound/trunk@3590 be551aaa-1e26-0410-a405-d3ace91eadb9
 2016-01-04 12:50:23 +00:00