--- /dev/null
+diff --git a/daemon/remote.c b/daemon/remote.c
+index a2b2204..b6990f3 100644
+--- a/daemon/remote.c
++++ b/daemon/remote.c
+@@ -81,6 +81,11 @@
+ #ifdef HAVE_NETDB_H
+ #include <netdb.h>
+ #endif
++#ifdef HAVE_PWD_H
++#include <pwd.h>
++#include <sys/stat.h>
++#include <fcntl.h>
++#endif
+
+ /* just for portability */
+ #ifdef SQ
+@@ -235,7 +240,8 @@ void daemon_remote_delete(struct daemon_remote* rc)
+ * @return false on failure.
+ */
+ static int
+-add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err)
++add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
++ struct config_file* cfg)
+ {
+ struct addrinfo hints;
+ struct addrinfo* res;
+@@ -246,29 +252,74 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err)
+ snprintf(port, sizeof(port), "%d", nr);
+ port[sizeof(port)-1]=0;
+ memset(&hints, 0, sizeof(hints));
+- hints.ai_socktype = SOCK_STREAM;
+- hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
+- if((r = getaddrinfo(ip, port, &hints, &res)) != 0 || !res) {
+-#ifdef USE_WINSOCK
+- if(!noproto_is_err && r == EAI_NONAME) {
+- /* tried to lookup the address as name */
+- return 1; /* return success, but do nothing */
++
++ if(ip[0] == '/') {
++ /* This looks like UNIX socket! */
++ fd = create_domain_accept_sock(ip);
++/*
++ * When unbound starts, it first creates a socket and then
++ * drops privs, so the socket is created as root user.
++ * This is fine, but we would like to set _unbound user group
++ * for this socket, and permissions should be 0660 so only
++ * root and _unbound group members can invoke unbound-control.
++ * The username used here is the same as username that unbound
++ * uses for its worker processes.
++ */
++
++/*
++ * Note: this code is an exact copy of code from daemon.c
++ * Normally this should be either wrapped into a function,
++ * or gui/gid values should be retrieved at config parsing time
++ * and then stored in configfile structure.
++ * This requires action from unbound developers!
++*/
++#ifdef HAVE_GETPWNAM
++ struct passwd *pwd = NULL;
++ uid_t uid;
++ gid_t gid;
++ /* initialize, but not to 0 (root) */
++ memset(&uid, 112, sizeof(uid));
++ memset(&gid, 112, sizeof(gid));
++ log_assert(cfg);
++
++ if(cfg->username && cfg->username[0]) {
++ if((pwd = getpwnam(cfg->username)) == NULL)
++ fatal_exit("user '%s' does not exist.",
++ cfg->username);
++ uid = pwd->pw_uid;
++ gid = pwd->pw_gid;
++ endpwent();
+ }
++
++ chown(ip, 0, gid);
++ chmod(ip, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
++#endif
++ } else {
++ hints.ai_socktype = SOCK_STREAM;
++ hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
++ if((r = getaddrinfo(ip, port, &hints, &res)) != 0 || !res) {
++#ifdef USE_WINSOCK
++ if(!noproto_is_err && r == EAI_NONAME) {
++ /* tried to lookup the address as name */
++ return 1; /* return success, but do nothing */
++ }
+ #endif /* USE_WINSOCK */
+- log_err("control interface %s:%s getaddrinfo: %s %s",
+- ip?ip:"default", port, gai_strerror(r),
++ log_err("control interface %s:%s getaddrinfo: %s %s",
++ ip?ip:"default", port, gai_strerror(r),
+ #ifdef EAI_SYSTEM
+ r==EAI_SYSTEM?(char*)strerror(errno):""
+ #else
+ ""
+ #endif
+ );
+- return 0;
++ return 0;
++ }
++
++ /* open fd */
++ fd = create_tcp_accept_sock(res, 1, &noproto);
++ freeaddrinfo(res);
+ }
+
+- /* open fd */
+- fd = create_tcp_accept_sock(res, 1, &noproto);
+- freeaddrinfo(res);
+ if(fd == -1 && noproto) {
+ if(!noproto_is_err)
+ return 1; /* return success, but do nothing */
+@@ -305,7 +356,7 @@ struct listen_port* daemon_remote_open_ports(struct config_file* cfg)
+ if(cfg->control_ifs) {
+ struct config_strlist* p;
+ for(p = cfg->control_ifs; p; p = p->next) {
+- if(!add_open(p->str, cfg->control_port, &l, 1)) {
++ if(!add_open(p->str, cfg->control_port, &l, 1, cfg)) {
+ listening_ports_free(l);
+ return NULL;
+ }
+@@ -313,12 +364,12 @@ struct listen_port* daemon_remote_open_ports(struct config_file* cfg)
+ } else {
+ /* defaults */
+ if(cfg->do_ip6 &&
+- !add_open("::1", cfg->control_port, &l, 0)) {
++ !add_open("::1", cfg->control_port, &l, 0, cfg)) {
+ listening_ports_free(l);
+ return NULL;
+ }
+ if(cfg->do_ip4 &&
+- !add_open("127.0.0.1", cfg->control_port, &l, 1)) {
++ !add_open("127.0.0.1", cfg->control_port, &l, 1, cfg)) {
+ listening_ports_free(l);
+ return NULL;
+ }
+diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c
+index ea7ec3a..4cb04e2 100644
+--- a/services/listen_dnsport.c
++++ b/services/listen_dnsport.c
+@@ -55,6 +55,10 @@
+ #endif
+ #include <fcntl.h>
+
++#ifndef USE_WINSOCK
++#include <sys/un.h>
++#endif
++
+ /** number of queued TCP connections for listen() */
+ #define TCP_BACKLOG 5
+
+@@ -376,6 +380,53 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
+ }
+
+ int
++create_domain_accept_sock(char *path) {
++ int s;
++ struct sockaddr_un unixaddr;
++
++#ifndef USE_WINSOCK
++ unixaddr.sun_len = sizeof(unixaddr);
++ unixaddr.sun_family = AF_UNIX;
++ strlcpy(unixaddr.sun_path, path, 104);
++
++ if((s = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
++ log_err("Cannot create UNIX socket %s (%s)",
++ path, strerror(errno));
++ return -1;
++ }
++
++ if(unlink(path) && errno != ENOENT) {
++ /* The socket already exists and cannot be removed */
++ log_err("Cannot remove old UNIX socket %s (%s)",
++ path, strerror(errno));
++ return -1;
++ }
++
++ if(bind(s, (struct sockaddr *) &unixaddr,
++ sizeof(struct sockaddr_un)) == -1) {
++ log_err("Cannot bind UNIX socket %s (%s)",
++ path, strerror(errno));
++ return -1;
++ }
++
++ if(!fd_set_nonblock(s)) {
++ log_err("Cannot set non-blocking mode");
++ return -1;
++ }
++
++ if(listen(s, TCP_BACKLOG) == -1) {
++ log_err("can't listen: %s", strerror(errno));
++ return -1;
++ }
++
++ return s;
++#else
++ log_err("UNIX sockets are not supported");
++ return -1;
++#endif
++}
++
++int
+ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto)
+ {
+ int s;
+diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c
+index a872f92..10631fd 100644
+--- a/smallapp/unbound-control.c
++++ b/smallapp/unbound-control.c
+@@ -59,6 +59,8 @@
+ #include "util/locks.h"
+ #include "util/net_help.h"
+
++#include <sys/un.h>
++
+ /** Give unbound-control usage, and exit (1). */
+ static void
+ usage()
+@@ -158,6 +160,7 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd)
+ {
+ struct sockaddr_storage addr;
+ socklen_t addrlen;
++ int addrfamily = 0;
+ int fd;
+ /* use svr or the first config entry */
+ if(!svr) {
+@@ -176,12 +179,21 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd)
+ if(strchr(svr, '@')) {
+ if(!extstrtoaddr(svr, &addr, &addrlen))
+ fatal_exit("could not parse IP@port: %s", svr);
++ } else if(svr[0] == '/') {
++ struct sockaddr_un* unixsock = (struct sockaddr_un *) &addr;
++ unixsock->sun_family = AF_UNIX;
++ unixsock->sun_len = sizeof(unixsock);
++ strlcpy(unixsock->sun_path, svr, 104);
++ addrlen = sizeof(struct sockaddr_un);
++ addrfamily = AF_UNIX;
+ } else {
+ if(!ipstrtoaddr(svr, cfg->control_port, &addr, &addrlen))
+ fatal_exit("could not parse IP: %s", svr);
+ }
+- fd = socket(addr_is_ip6(&addr, addrlen)?AF_INET6:AF_INET,
+- SOCK_STREAM, 0);
++
++ if(addrfamily != AF_UNIX)
++ addrfamily = addr_is_ip6(&addr, addrlen)?AF_INET6:AF_INET;
++ fd = socket(addrfamily, SOCK_STREAM, 0);
+ if(fd == -1) {
+ #ifndef USE_WINSOCK
+ fatal_exit("socket: %s", strerror(errno));
+diff --git a/util/net_help.c b/util/net_help.c
+index b3136a3..5b5b4a3 100644
+--- a/util/net_help.c
++++ b/util/net_help.c
+@@ -45,6 +45,7 @@
+ #include "util/module.h"
+ #include "util/regional.h"
+ #include <fcntl.h>
++#include <sys/un.h>
+ #include <openssl/ssl.h>
+ #include <openssl/err.h>
+
+@@ -135,7 +136,7 @@ log_addr(enum verbosity_value v, const char* str,
+ {
+ uint16_t port;
+ const char* family = "unknown";
+- char dest[100];
++ char dest[108];
+ int af = (int)((struct sockaddr_in*)addr)->sin_family;
+ void* sinaddr = &((struct sockaddr_in*)addr)->sin_addr;
+ if(verbosity < v)
+@@ -148,15 +149,23 @@ log_addr(enum verbosity_value v, const char* str,
+ case AF_UNIX: family="unix"; break;
+ default: break;
+ }
+- if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
+- strncpy(dest, "(inet_ntop error)", sizeof(dest));
++
++ if(af != AF_UNIX) {
++ if(inet_ntop(af, sinaddr, dest, (socklen_t)sizeof(dest)) == 0) {
++ strncpy(dest, "(inet_ntop error)", sizeof(dest));
++ }
++ dest[sizeof(dest)-1] = 0;
++ port = ntohs(((struct sockaddr_in*)addr)->sin_port);
++ if(verbosity >= 4)
++ verbose(v, "%s %s %s port %d (len %d)", str, family,
++ dest, (int)port, (int)addrlen);
++ else verbose(v, "%s %s port %d", str, dest, (int)port);
++ } else {
++ struct sockaddr_un* unixsock;
++ unixsock = (struct sockaddr_un *) addr;
++ strlcpy(dest, unixsock->sun_path, sizeof(dest));
++ verbose(v, "%s %s %s", str, family, dest);
+ }
+- dest[sizeof(dest)-1] = 0;
+- port = ntohs(((struct sockaddr_in*)addr)->sin_port);
+- if(verbosity >= 4)
+- verbose(v, "%s %s %s port %d (len %d)", str, family, dest,
+- (int)port, (int)addrlen);
+- else verbose(v, "%s %s port %d", str, dest, (int)port);
+ }
+
+ int
projects / thirdparty / unbound.git / commitdiff
