Re: unbound-anchor: problem with unveiling temporary anchor file

Stuart Henderson Mon, 07 Oct 2019 03:18:06 -0700

On 2019/10/07 09:53, Theo Buehler wrote:
> $ doas /usr/sbin/unbound-anchor -v
> /var/unbound/db/root.key has content
> [1570433629] libunbound[28321:0] fatal error: could not open autotrust file 
> for writing, /var/unbound/db/root.key.28321-0-1966ee948e00: No such file or 
> directory
> 
> The problem is the following change that came with the update to 1.9.3:
> 
>         - Add hex print of trust anchor pointer to trust anchor file temp
>           name to make it unique, for libunbound created multiple contexts.
> 
> See 
> https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/unbound/validator/autotrust.c.diff?r1=1.10&r2=1.11
> 
> Thus, the unveil code in smallapp/unbound-anchor.c needs some
> adjustment.
> 
>       if (asprintf(&root_anchor_tempfile, "%s.%d-0", root_anchor_file,
>           getpid()) == -1) {
>               if(verb) printf("out of memory\n");
>               exit(0);
>       }
> 
>       if (unveil(root_anchor_file, "rwc") == -1)
>               err(1, "unveil");
>       if (unveil(root_anchor_tempfile, "rwc") == -1)
>               err(1, "unveil");
> 
> The problem is that tp used for tempfile generation is not yet known at
> that point. Not sure how best to deal with this.


Just unveil the directory?

Index: smallapp/unbound-anchor.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/smallapp/unbound-anchor.c,v
retrieving revision 1.12
diff -u -p -r1.12 unbound-anchor.c
--- smallapp/unbound-anchor.c   10 Jan 2019 12:13:44 -0000      1.12
+++ smallapp/unbound-anchor.c   7 Oct 2019 10:14:56 -0000
@@ -116,6 +116,7 @@
  */
 
 #include <err.h>
+#include <libgen.h>
 #include <unistd.h>
 
 #include "config.h"
@@ -2284,7 +2285,7 @@ int main(int argc, char* argv[])
        const char* res_conf = NULL;
        const char* root_hints = NULL;
        const char* debugconf = NULL;
-       char* root_anchor_tempfile;
+       char* root_anchor_temppath;
        int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT;
        int res_conf_fallback = 0;
        /* parse the options */
@@ -2370,15 +2371,12 @@ int main(int argc, char* argv[])
 
        if(dolist) do_list_builtin();
 
-       if (asprintf(&root_anchor_tempfile, "%s.%d-0", root_anchor_file,
-           getpid()) == -1) {
+       if (asprintf(&root_anchor_temppath, "%s",
+           dirname(root_anchor_file)) == -1) {
                if(verb) printf("out of memory\n");
                exit(0);
        }
-
-       if (unveil(root_anchor_file, "rwc") == -1)
-               err(1, "unveil");
-       if (unveil(root_anchor_tempfile, "rwc") == -1)
+       if (unveil(root_anchor_temppath, "rwc") == -1)
                err(1, "unveil");
        if (unveil(root_cert_file, "r") == -1)
                err(1, "unveil");

Re: unbound-anchor: problem with unveiling temporary anchor file

Reply via email to