ports/173773: [PATCH] dns/unbound: Security fix: avoid storing PID file under chroot

Ilya Bakulin webmaster at kibab.com
Wed Nov 21 20:00:01 UTC 2012 

>Number:         173773
>Category:       ports
>Synopsis:       [PATCH] dns/unbound: Security fix: avoid storing PID file under chroot
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Nov 21 20:00:00 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Ilya Bakulin
>Release:        FreeBSD 9.0-RELEASE-p3 amd64
>Organization:
Deglitch Networks
>Environment:
System: FreeBSD olymp.kibab.com 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: Tue Jun 12 02:52:29 UTC 2012
>Description:
By default, unbound writes its PID in /usr/local/etc/unbound/unbound.pid.
This file stays accessible by unbound daemon after chroot, and is even writable
by non-privileged "unbound" user. If an attacker breaks unbound, he can replace
the PID in the pidfile. FreeBSD rc.d system is smart enough to refuse doing
anything with process that has different name, but it will report that unbound
is not running, while trying to start it will fail due to blocked ports.

Other tools may fail in strange ways, admin's kitten will be killed, etc.

Attached patch fixes this issue by configuring unbound to store its PID in
/var/run/unbound.pid. Having PID file outside chroot is possible, because
unbound writes its pidfile just before chrooting.

Storing such information under /var/run also complies with hier(7).

Ideally unbound should be chrooted in /var/run/unbound, but this causes
some problems now (you need to store config file there, OpenBSD does that,
but this sounds like a bad idea to me).
I need to clarify with NLNetLabs how they advise to do chrooting properly.
unbound.conf(5) and unbound-checkconf seem to disagree about possibility
to have config file outside chroot.

Port maintainer (sem at FreeBSD.org) is cc'd.

Generated with FreeBSD Port Tools 0.99_6 (mode: change, diff: ports)
>How-To-Repeat:
After unbound starts, do the following:
$ sudo -u unbound sh
$ echo "1" > /usr/local/etc/unbound/unbound.pid
$ logout

Trying to retrieve process status:
$ /usr/local/etc/rc.d/unbound onestatus
unbound is not running.

Trying to start process:
$ /usr/local/etc/rc.d/unbound onestart
Obtaining a trust anchor:.
Starting unbound.
[1353327351] unbound[94268:0] error: bind: address already in use
[1353327351] unbound[94268:0] fatal error: could not open ports
/usr/local/etc/rc.d/unbound: WARNING: failed to start unbound

>Fix:
Apply the patch. Save the kitten.

--- unbound-1.4.18_3.patch begins here ---
diff -ruN --exclude=CVS /usr/ports/dns/unbound/Makefile ./Makefile
--- /usr/ports/dns/unbound/Makefile	2012-11-19 00:59:14.000000000 +0100
+++ ./Makefile	2012-11-21 09:46:40.000000000 +0100
@@ -20,7 +20,9 @@
 USE_GMAKE=	yes
 USE_OPENSSL=	yes
 GNU_CONFIGURE=	yes
-CONFIGURE_ARGS+=--with-ssl=${OPENSSLBASE}
+CONFIGURE_ARGS+=--with-ssl=${OPENSSLBASE} \
+		--with-pidfile=/var/run/unbound.pid
+
 USE_LDCONFIG=	yes
 
 USERS=		${PORTNAME}
diff -ruN --exclude=CVS /usr/ports/dns/unbound/files/unbound.in ./files/unbound.in
--- /usr/ports/dns/unbound/files/unbound.in	2012-11-17 06:57:11.000000000 +0100
+++ ./files/unbound.in	2012-11-21 09:47:14.000000000 +0100
@@ -24,7 +24,7 @@
 
 load_rc_config $name
 
-pidfile=${unbound_pidfile:-"%%PREFIX%%/etc/unbound/unbound.pid"}
+pidfile=${unbound_pidfile:-"/var/run/unbound.pid"}
 unbound_enable=${unbound_enable:-"NO"}
 
 start_precmd()
--- unbound-1.4.18_3.patch ends here ---

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list