unbound-checkconf: fatal error: config file is not inside chroot

[Wouter Wijngaards]

Hi Florian,

On 10/30/18 3:12 PM, Florian Obser via Unbound-users wrote:
> Hi,
> 
> configuration managment systems seem to place files they manage into
> some temp directory, run a validation command and then move the config
> file into the final destination. (I tried salt stack's "check_cmd" and
> ansible's "validate" option.)
> 
> This does not play well with unbound-checkconf since it complains if
> the config file is not placed inside the chroot. I note that
> nsd-checkconf does not have this restriction.

Sure, removed that check.  Thanks for the mention.

Best regards, Wouter

> 
> Maybe this can be removed from unbound-checkconf as well?
> 
> Something like this:
> 
> diff --git smallapp/unbound-checkconf.c smallapp/unbound-checkconf.c
> index ea46479172c..255ffa4cda8 100644
> --- smallapp/unbound-checkconf.c
> +++ smallapp/unbound-checkconf.c
> @@ -463,19 +463,6 @@ morechecks(struct config_file* cfg, const char* fname)
>  		!is_dir(cfg->chrootdir)) {
>  		fatal_exit("bad chroot directory");
>  	}
> -	if(cfg->chrootdir && cfg->chrootdir[0]) {
> -		char buf[10240];
> -		buf[0] = 0;
> -		if(fname[0] != '/') {
> -			if(getcwd(buf, sizeof(buf)) == NULL)
> -				fatal_exit("getcwd: %s", strerror(errno));
> -			(void)strlcat(buf, "/", sizeof(buf));
> -		}
> -		(void)strlcat(buf, fname, sizeof(buf));
> -		if(strncmp(buf, cfg->chrootdir, strlen(cfg->chrootdir)) != 0)
> -			fatal_exit("config file %s is not inside chroot %s",
> -				buf, cfg->chrootdir);
> -	}
>  	if(cfg->directory && cfg->directory[0]) {
>  		char* ad = fname_after_chroot(cfg->directory, cfg, 0);
>  		if(!ad) fatal_exit("out of memory");
> 
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20181129/47c01a54/attachment.bin>