Hi all,
We develop a product that contains unbound server, and we want to use
unbound-control utility for managing running unbound instances. This utility
looks very powerful, with ability to query server status, flush/restore zone
caches and even add new zone entries on the fly.
One thing that we miss is the ability to control unbound via unix sockets.
This may be quite useful and secure setup. Using unix sockets makes it
possible to use traditional unix permissions for controlling access to
unbound, and it's impossible to access control interface when an attacker
occasionally breaks some other chrooted process on the system (because chroot
restricts access only to file system namespace, not to IP sockets namespace).
The other advantage is that they are faster than local TCP, which may be
useful if loading cache via load_cache command.
Attached is a patch that adds unix sockets support to unbound and
unbound-control. After applying patch it is possible to have such
configuration:
remote-control:
control-enable: yes
control-interface: /tmp/unbound.sock
server-key-file: /cage/unbound/etc/unbound_server.key
server-cert-file: /cage/unbound/etc/unbound_server.pem
control-key-file: /cage/unbound/etc/unbound_control.key
control-cert-file: /cage/unbound/etc/unbound_control.pem
Additionally, this patch fixes log_addr() function in libunbound, that is not
fully compatible with unix sockets.
This patch is made for unbound 1.4.15.
Please review attached patch and tell me if you find this feature useful! 
(attachments)
unbound_unixsock_for_control.diff (4.72 KB)
Hi Ilya,
Please review attached patch and tell me if you find this feature useful! 
Wouter and I took a look at it and your patch seems fine and looks good.
We think it might be useful for some people and are happy to include it
in the contrib folder if you would stick a BSD license on it.
We are careful with adding new features to Unbound and don't feel the
need to include this in the main source.
Regards,
Yuri Schaeffer
Hi Yuri,
thank you for your feedback!
Yes, of course this patch is under BSD license.
I have one question about NLNetLabs policy regarding stuff that goes in
contrib/. What level of testing and support do things in contrib/ receive?
For example, if in the future something in unbound changes so that patch
doesn't apply anymore, will it be fixed or we will need to submit updated
patch?
Also I wonder if libunbound part of the patch will be also put in contrib/?
Currently util/net_help.c cannot handle UNIX sockets correctly, although it
seems to try to support them.
Anyway, I will post an updated version shortly.
Hi Ilya,
I have one question about NLNetLabs policy regarding stuff that
goes in contrib/. What level of testing and support do things in
contrib/ receive? For example, if in the future something in
unbound changes so that patch doesn't apply anymore, will it be
fixed or we will need to submit updated patch?
I checked this with my colleagues. The answer is none. We won't commit
ourselves to test the patch now or in the future. We will still accept
fixes though.
Also I wonder if libunbound part of the patch will be also put in
contrib/? Currently util/net_help.c cannot handle UNIX sockets
correctly, although it seems to try to support them.
We accept bug fixes. Features will go to contrib as well.
Anyway, I will post an updated version shortly.
Great.
Regards,
Yuri
Hi Yuri,
OK, thanks for clarification!
I'm attaching a bit modified patch. What's changed is that now unbound sets
the owner group of socket to the group of "username" user (specified in the
config file). We at genua found it very useful, because by default the socket
is created with root:wheel. And we set chmod 0660 on the socket file.
The code that retrieves uid/gid is identical to the code in daemon.c. I have
copied it because since this patch is not going to be committed, I want to
keep differences to original code as localized as possible
This patch is released by genua mbh under BSD license.
(attachments)
unbound_unixsock.diff (8.87 KB)
I actually really like this patch. We're doing container stuff and
we cannot easilly do the whole ssl overhead to talk/reconfigure
unbound. Please consider the patch for integration.
Paul