diff options
author | Chris Buechler <cmb@pfsense.org> | 2015-10-21 19:54:10 -0500 |
---|---|---|
committer | Chris Buechler <cmb@pfsense.org> | 2015-10-21 19:54:10 -0500 |
commit | d7f5b68ab31f2317d2fba73de69e89a89fa0af1a (patch) | |
tree | 8ba38026ffe61e7df2b13370960f38ba8fecc349 /etc | |
parent | f3ee8205e6332d4895e93f4f2831cc65ab98d0c0 (diff) | |
download | pfsense-d7f5b68ab31f2317d2fba73de69e89a89fa0af1a.zip pfsense-d7f5b68ab31f2317d2fba73de69e89a89fa0af1a.tar.gz |
Check unbound root.key file contents, and remove it if invalid, before unbound-anchor runs otherwise it will fail and unbound will fail to start. fsync the file after writing to prevent the problem. Ticket #5334
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/unbound.inc | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/etc/inc/unbound.inc b/etc/inc/unbound.inc index 340efcc..9aeaa0c 100644 --- a/etc/inc/unbound.inc +++ b/etc/inc/unbound.inc @@ -450,7 +450,16 @@ function do_as_unbound_user($cmd) { mwexec("echo '/usr/local/sbin/unbound-control reload' | /usr/bin/su -m unbound", true); break; case "unbound-anchor": + // sanity check root.key because unbound-anchor will fail without manual removal otherwise. redmine #5334 + if (file_exists("{$g['unbound_chroot_path']}/root.key")) { + $rootkeycheck = mwexec("/usr/bin/grep 'autotrust trust anchor file' {$g['unbound_chroot_path']}/root.key", true); + if ($rootkeycheck != "0") { + log_error("Unbound root.key file is corrupt, removing and recreating."); + unlink_if_exists("{$g['unbound_chroot_path']}/root.key"); + } + } mwexec("echo '/usr/local/sbin/unbound-anchor -a {$g['unbound_chroot_path']}/root.key' | /usr/bin/su -m unbound", true); + pfSense_fsync("{$g['unbound_chroot_path']}/root.key"); break; case "unbound-control-setup": mwexec("echo '/usr/local/sbin/unbound-control-setup -d {$g['unbound_chroot_path']}' | /usr/bin/su -m unbound", true); |