[Unbound-users] [PATCH] UNIX sockets support for unbound-control
Ilya Bakulin
Ilya_Bakulin at genua.de
Fri Aug 3 14:10:51 UTC 2012
Hi all,
We develop a product that contains unbound server, and we want to use
unbound-control utility for managing running unbound instances. This utility
looks very powerful, with ability to query server status, flush/restore zone
caches and even add new zone entries on the fly.
One thing that we miss is the ability to control unbound via unix sockets.
This may be quite useful and secure setup. Using unix sockets makes it
possible to use traditional unix permissions for controlling access to
unbound, and it's impossible to access control interface when an attacker
occasionally breaks some other chrooted process on the system (because chroot
restricts access only to file system namespace, not to IP sockets namespace).
The other advantage is that they are faster than local TCP, which may be
useful if loading cache via load_cache command.
Attached is a patch that adds unix sockets support to unbound and
unbound-control. After applying patch it is possible to have such
configuration:
>>>>>>>>>>>>>>>>>>>>>>>>>>
remote-control:
control-enable: yes
control-interface: /tmp/unbound.sock
server-key-file: /cage/unbound/etc/unbound_server.key
server-cert-file: /cage/unbound/etc/unbound_server.pem
control-key-file: /cage/unbound/etc/unbound_control.key
control-cert-file: /cage/unbound/etc/unbound_control.pem
>>>>>>>>>>>>>>>>>>>>>>>>>>
Additionally, this patch fixes log_addr() function in libunbound, that is not
fully compatible with unix sockets.
This patch is made for unbound 1.4.15.
Please review attached patch and tell me if you find this feature useful! :-)
--
Best regards,
Ilya Bakulin
genua
Gesellschaft fuer Netzwerk- und Unix-Administration mbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999, www.genua.de
Geschaeftsfuehrer: Dr. Magnus Harlander, Dr. Michaela Harlander,
Bernhard Schneck. Amtsgericht Muenchen HRB 98238
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unbound_unixsock_for_control.diff
Type: text/x-diff
Size: 4829 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20120803/08e2eaa1/attachment.bin>
More information about the Unbound-users
mailing list