Skip to content

Commit

Permalink
use sudo for unbound statistics
Browse files Browse the repository at this point in the history
Debian 12 by default uses an unix domain socket for access to
the control interface of unbound.  To make it more secure and
allow the RRD user only to call "unbound-control stats" and
nothing else, a small sudo wrapper is now needed.

`/usr/local/sbin/unbound-stats` should contain:

```shell
/usr/sbin/unbound-control stats
```

and the user running the unbound.pl rrd script must be permitted
to run `sudo /usr/local/sbin/unbound-stats`.
  • Loading branch information
mmitch committed Jun 17, 2023
1 parent 1f0aed4 commit e669a6e
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 3 deletions.
2 changes: 1 addition & 1 deletion runall.sh
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ SCRIPTPATH=.
#
# set sleep time in seconds between calls
# total script runtime should not exceed 5 minutes!
RRD_WAIT=${RRD_WAIT:-16}
RRD_WAIT=${RRD_WAIT:-2}

#
# how many graphs should be rendered?
Expand Down
4 changes: 2 additions & 2 deletions unbound.pl
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@
}

# get data
open STATUS, '/usr/sbin/unbound-control stats|' or die "can't open unbound-control: $!";
open STATUS, 'sudo /usr/local/sbin/unbound-stats|' or die "can't open unbound-stats: $!";
my %stats = (
'total.num.cachehits' => 0,
'total.num.cachemiss' => 0,
Expand All @@ -87,7 +87,7 @@
my ($key, $value) = split /=/, $line, 2;
$stats{$key} = $value;
}
close STATUS or die "can't close unbound-control: $!";
close STATUS or die "can't close unbound-stats: $!";

# update database
RRDs::update($datafile,
Expand Down

0 comments on commit e669a6e

Please sign in to comment.