Browse Source

unbound: Switch to non-privileged user

Until now unbound was always running as root by default. A DNS resolver can
easily run under a non-privileged user.

Signed-off-by: Michael Hanselmann <public@hansmi.ch>
lilik-openwrt-22.03
Michael Hanselmann 9 years ago
parent
commit
414eaacd90
3 changed files with 9 additions and 9 deletions
  1. +3
    -1
      net/unbound/Makefile
  2. +6
    -0
      net/unbound/files/unbound.init
  3. +0
    -8
      net/unbound/patches/001-conf.patch

+ 3
- 1
net/unbound/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=unbound
PKG_VERSION:=1.5.9
PKG_RELEASE:=2
PKG_RELEASE:=3
PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE
@ -39,6 +39,7 @@ define Package/unbound
SUBMENU:=IP Addresses and Names
TITLE+= (daemon)
DEPENDS+= +libunbound
USERID:=unbound:unbound
endef
define Package/unbound/description
@ -114,6 +115,7 @@ CONFIGURE_ARGS += \
--with-libexpat="$(STAGING_DIR)/usr" \
--with-ssl="$(STAGING_DIR)/usr" \
--with-pidfile=/var/run/unbound.pid \
--with-user=unbound \
--without-pthreads
define Package/unbound/conffiles


+ 6
- 0
net/unbound/files/unbound.init View File

@ -6,6 +6,12 @@ START=61
USE_PROCD=1
start_service() {
find /etc/unbound \! \( -user unbound -group unbound \) \
-exec chown unbound:unbound {} \;
find /etc/unbound \( -perm +027 -o \! -perm -600 \) \
-exec chmod u=rwX,g=rX,o= {} \;
procd_open_instance
procd_set_param command /usr/sbin/unbound
procd_append_param command -d # don't daemonize


+ 0
- 8
net/unbound/patches/001-conf.patch View File

@ -89,14 +89,6 @@ index ff90e3b..5c20fdf 100644
# if given, a chroot(2) is done to the given directory.
# i.e. you can chroot to the working directory, for example,
@@ -218,6 +233,7 @@ server:
# and the given username is assumed. Default is user "unbound".
# If you give "" no privileges are dropped.
# username: "@UNBOUND_USERNAME@"
+ username: ""
# the working directory. The relative files in this config are
# relative to this directory. If you give "" the working directory
@@ -266,12 +284,15 @@ server:
# positive value: fetch that many targets opportunistically.
# Enclose the list of numbers between quotes ("").


Loading…
Cancel
Save