From c0e5d5ee45068af30417cda9659306f6c7a6091b Mon Sep 17 00:00:00 2001 From: Michael Hanselmann Date: Sat, 11 Jun 2016 01:17:05 +0200 Subject: [PATCH 1/5] unbound: Remove named.cache The custom list of DNS root servers provided with the package is not necessary. Unbound ships with a built-in list. Signed-off-by: Michael Hanselmann --- net/unbound/Makefile | 2 +- net/unbound/files/named.cache | 90 ------------------------------ net/unbound/patches/001-conf.patch | 13 ----- 3 files changed, 1 insertion(+), 104 deletions(-) delete mode 100644 net/unbound/files/named.cache diff --git a/net/unbound/Makefile b/net/unbound/Makefile index 8549f6191..67dcb65a3 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -113,6 +113,7 @@ CONFIGURE_ARGS += \ --enable-allsymbols \ --with-libexpat="$(STAGING_DIR)/usr" \ --with-ssl="$(STAGING_DIR)/usr" \ + --with-pidfile=/var/run/unbound.pid \ --without-pthreads define Package/unbound/conffiles @@ -137,7 +138,6 @@ define Package/unbound/install $(PKG_INSTALL_DIR)/etc/unbound/unbound.conf \ $(1)/etc/unbound/ $(INSTALL_CONF) ./files/root.key $(1)/etc/unbound/ - $(INSTALL_CONF) ./files/named.cache $(1)/etc/unbound/ $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/unbound.init $(1)/etc/init.d/unbound endef diff --git a/net/unbound/files/named.cache b/net/unbound/files/named.cache deleted file mode 100644 index 9cc20228c..000000000 --- a/net/unbound/files/named.cache +++ /dev/null @@ -1,90 +0,0 @@ -; This file holds the information on root name servers needed to -; initialize cache of Internet domain name servers -; (e.g. reference this file in the "cache . " -; configuration file of BIND domain name servers). -; -; This file is made available by InterNIC -; under anonymous FTP as -; file /domain/named.cache -; on server FTP.INTERNIC.NET -; -OR- RS.INTERNIC.NET -; -; last update: November 05, 2014 -; related version of root zone: 2014110501 -; -; formerly NS.INTERNIC.NET -; -. 3600000 NS A.ROOT-SERVERS.NET. -A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 -A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30 -; -; FORMERLY NS1.ISI.EDU -; -. 3600000 NS B.ROOT-SERVERS.NET. -B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201 -B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:84::b -; -; FORMERLY C.PSI.NET -; -. 3600000 NS C.ROOT-SERVERS.NET. -C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 -C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c -; -; FORMERLY TERP.UMD.EDU -; -. 3600000 NS D.ROOT-SERVERS.NET. -D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13 -D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d -; -; FORMERLY NS.NASA.GOV -; -. 3600000 NS E.ROOT-SERVERS.NET. -E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 -; -; FORMERLY NS.ISC.ORG -; -. 3600000 NS F.ROOT-SERVERS.NET. -F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 -F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f -; -; FORMERLY NS.NIC.DDN.MIL -; -. 3600000 NS G.ROOT-SERVERS.NET. -G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 -; -; FORMERLY AOS.ARL.ARMY.MIL -; -. 3600000 NS H.ROOT-SERVERS.NET. -H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 -H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803f:235 -; -; FORMERLY NIC.NORDU.NET -; -. 3600000 NS I.ROOT-SERVERS.NET. -I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 -I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53 -; -; OPERATED BY VERISIGN, INC. -; -. 3600000 NS J.ROOT-SERVERS.NET. -J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 -J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30 -; -; OPERATED BY RIPE NCC -; -. 3600000 NS K.ROOT-SERVERS.NET. -K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 -K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1 -; -; OPERATED BY ICANN -; -. 3600000 NS L.ROOT-SERVERS.NET. -L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 -L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42 -; -; OPERATED BY WIDE -; -. 3600000 NS M.ROOT-SERVERS.NET. -M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 -M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35 -; End of file diff --git a/net/unbound/patches/001-conf.patch b/net/unbound/patches/001-conf.patch index eab0df375..352fe942c 100644 --- a/net/unbound/patches/001-conf.patch +++ b/net/unbound/patches/001-conf.patch @@ -97,19 +97,6 @@ index ff90e3b..5c20fdf 100644 # the working directory. The relative files in this config are # relative to this directory. If you give "" the working directory -@@ -240,10 +256,12 @@ server: - - # the pid file. Can be an absolute path outside of chroot/work dir. - # pidfile: "@UNBOUND_PIDFILE@" -+ pidfile: "/var/run/unbound.pid" - - # file to read root hints from. - # get one from https://www.internic.net/domain/named.cache - # root-hints: "" -+ root-hints: "/etc/unbound/named.cache" - - # enable to not answer id.server and hostname.bind queries. - # hide-identity: no @@ -266,12 +284,15 @@ server: # positive value: fetch that many targets opportunistically. # Enclose the list of numbers between quotes (""). From 0d856b0e47ba5ab79bafccb118877874d635cc69 Mon Sep 17 00:00:00 2001 From: Michael Hanselmann Date: Sat, 11 Jun 2016 00:02:53 +0200 Subject: [PATCH 2/5] unbound: Use INSTALL_BIN/DATA for installation The commands aliased by $(INSTALL_BIN) and $(INSTALL_DATA) set good permissions, unlike a raw file copy. Signed-off-by: Michael Hanselmann --- net/unbound/Makefile | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/net/unbound/Makefile b/net/unbound/Makefile index 67dcb65a3..ba1e51565 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -122,14 +122,14 @@ endef define Build/InstallDev $(INSTALL_DIR) $(1)/usr/include - $(CP) $(PKG_INSTALL_DIR)/usr/include/unbound.h $(1)/usr/include/ + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/include/unbound.h $(1)/usr/include/ $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libunbound.{so*,a,la} $(1)/usr/lib/ + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libunbound.{so*,a,la} $(1)/usr/lib/ endef define Package/unbound/install $(INSTALL_DIR) $(1)/usr/sbin - $(CP) \ + $(INSTALL_BIN) \ $(PKG_INSTALL_DIR)/usr/sbin/unbound \ $(PKG_INSTALL_DIR)/usr/sbin/unbound-checkconf \ $(1)/usr/sbin/ @@ -144,27 +144,27 @@ endef define Package/unbound-anchor/install $(INSTALL_DIR) $(1)/usr/sbin - $(CP) $(PKG_INSTALL_DIR)/usr/sbin/unbound-anchor $(1)/usr/sbin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/unbound-anchor $(1)/usr/sbin/ endef define Package/unbound-control/install $(INSTALL_DIR) $(1)/usr/sbin - $(CP) $(PKG_INSTALL_DIR)/usr/sbin/unbound-control $(1)/usr/sbin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/unbound-control $(1)/usr/sbin/ endef define Package/unbound-control-setup/install $(INSTALL_DIR) $(1)/usr/sbin - $(CP) $(PKG_INSTALL_DIR)/usr/sbin/unbound-control-setup $(1)/usr/sbin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/unbound-control-setup $(1)/usr/sbin/ endef define Package/unbound-host/install $(INSTALL_DIR) $(1)/usr/sbin - $(CP) $(PKG_INSTALL_DIR)/usr/sbin/unbound-host $(1)/usr/sbin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/unbound-host $(1)/usr/sbin/ endef define Package/libunbound/install $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libunbound.so.* $(1)/usr/lib/ + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libunbound.so.* $(1)/usr/lib/ endef $(eval $(call BuildPackage,unbound)) From e21d81209c4122cdcf627d25522b6df8ca8a791c Mon Sep 17 00:00:00 2001 From: Michael Hanselmann Date: Fri, 10 Jun 2016 22:09:40 +0200 Subject: [PATCH 3/5] unbound: Update to 1.5.9 Bump unbound to version 1.5.9 released on June 9, 2016. Signed-off-by: Michael Hanselmann --- net/unbound/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/unbound/Makefile b/net/unbound/Makefile index ba1e51565..e5fbe43a2 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound -PKG_VERSION:=1.5.8 +PKG_VERSION:=1.5.9 PKG_RELEASE:=1 PKG_LICENSE:=BSD-3-Clause @@ -17,7 +17,7 @@ PKG_MAINTAINER:=Michael Hanselmann PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://www.unbound.net/downloads -PKG_MD5SUM:=1c34282bae0c625b86374ee9caaef6f7 +PKG_MD5SUM:=0cefa62c1690b4db18583db84bff00e3 PKG_BUILD_DEPENDS:=libexpat PKG_BUILD_PARALLEL:=1 From 28945ea398007951ef872a8d133b946cd879d5bd Mon Sep 17 00:00:00 2001 From: Michael Hanselmann Date: Fri, 10 Jun 2016 22:46:08 +0200 Subject: [PATCH 4/5] unbound: Rewrite init script to use procd Signed-off-by: Michael Hanselmann --- net/unbound/Makefile | 2 +- net/unbound/files/unbound.init | 18 +++++++++--------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/net/unbound/Makefile b/net/unbound/Makefile index e5fbe43a2..e88c11e58 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound PKG_VERSION:=1.5.9 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE diff --git a/net/unbound/files/unbound.init b/net/unbound/files/unbound.init index 4e700e445..8c1304e2d 100755 --- a/net/unbound/files/unbound.init +++ b/net/unbound/files/unbound.init @@ -1,14 +1,14 @@ #!/bin/sh /etc/rc.common -#Copyright (C) 2010 Ondrej Caletka +# Copyright (C) 2016 Michael Hanselmann + START=61 -start () { - unbound -} +USE_PROCD=1 -stop () { - PIDFILE='/var/run/unbound.pid' - if [ -f $PIDFILE ] ; then - kill $(cat $PIDFILE) - fi +start_service() { + procd_open_instance + procd_set_param command /usr/sbin/unbound + procd_append_param command -d # don't daemonize + procd_set_param respawn + procd_close_instance } From 414eaacd90c655aa6ae8ac5c0b74ece435b7061c Mon Sep 17 00:00:00 2001 From: Michael Hanselmann Date: Fri, 10 Jun 2016 22:46:28 +0200 Subject: [PATCH 5/5] unbound: Switch to non-privileged user Until now unbound was always running as root by default. A DNS resolver can easily run under a non-privileged user. Signed-off-by: Michael Hanselmann --- net/unbound/Makefile | 4 +++- net/unbound/files/unbound.init | 6 ++++++ net/unbound/patches/001-conf.patch | 8 -------- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/net/unbound/Makefile b/net/unbound/Makefile index e88c11e58..abb098e1e 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound PKG_VERSION:=1.5.9 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE @@ -39,6 +39,7 @@ define Package/unbound SUBMENU:=IP Addresses and Names TITLE+= (daemon) DEPENDS+= +libunbound + USERID:=unbound:unbound endef define Package/unbound/description @@ -114,6 +115,7 @@ CONFIGURE_ARGS += \ --with-libexpat="$(STAGING_DIR)/usr" \ --with-ssl="$(STAGING_DIR)/usr" \ --with-pidfile=/var/run/unbound.pid \ + --with-user=unbound \ --without-pthreads define Package/unbound/conffiles diff --git a/net/unbound/files/unbound.init b/net/unbound/files/unbound.init index 8c1304e2d..7ad2e7c74 100755 --- a/net/unbound/files/unbound.init +++ b/net/unbound/files/unbound.init @@ -6,6 +6,12 @@ START=61 USE_PROCD=1 start_service() { + find /etc/unbound \! \( -user unbound -group unbound \) \ + -exec chown unbound:unbound {} \; + + find /etc/unbound \( -perm +027 -o \! -perm -600 \) \ + -exec chmod u=rwX,g=rX,o= {} \; + procd_open_instance procd_set_param command /usr/sbin/unbound procd_append_param command -d # don't daemonize diff --git a/net/unbound/patches/001-conf.patch b/net/unbound/patches/001-conf.patch index 352fe942c..3b612bcd1 100644 --- a/net/unbound/patches/001-conf.patch +++ b/net/unbound/patches/001-conf.patch @@ -89,14 +89,6 @@ index ff90e3b..5c20fdf 100644 # if given, a chroot(2) is done to the given directory. # i.e. you can chroot to the working directory, for example, -@@ -218,6 +233,7 @@ server: - # and the given username is assumed. Default is user "unbound". - # If you give "" no privileges are dropped. - # username: "@UNBOUND_USERNAME@" -+ username: "" - - # the working directory. The relative files in this config are - # relative to this directory. If you give "" the working directory @@ -266,12 +284,15 @@ server: # positive value: fetch that many targets opportunistically. # Enclose the list of numbers between quotes ("").