As found by tb@, the name of the temporary file used when updating the

root anchor changed in unbound 1.9.3, "Add hex print of trust anchor
pointer to trust anchor file temp name to make it unique, for libunbound
created multiple contexts".

This isn't allowed by unbound-anchor's unveil; adjust to unveil the
parent directory (typically /var/unbound/db, but generated from the
filename).

ok florian@ tb@

1 files changed, 9 insertions, 7 deletions

diff --git a/usr.sbin/unbound/smallapp/unbound-anchor.c b/usr.sbin/unbound/smallapp/unbound-anchor.c
index 57847f892d1..33a3e1202c6 100644
--- a/usr.sbin/unbound/smallapp/unbound-anchor.c
+++ b/usr.sbin/unbound/smallapp/unbound-anchor.c
@@ -116,6 +116,7 @@
  */
 
 #include <err.h>
+#include <libgen.h>
 #include <unistd.h>
 
 #include "config.h"
@@ -2284,7 +2285,8 @@ int main(int argc, char* argv[])
 	const char* res_conf = NULL;
 	const char* root_hints = NULL;
 	const char* debugconf = NULL;
-	char* root_anchor_tempfile;
+	char* root_anchor_temppath;
+	char* s;
 	int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT;
 	int res_conf_fallback = 0;
 	/* parse the options */
@@ -2370,16 +2372,16 @@ int main(int argc, char* argv[])
 
 	if(dolist) do_list_builtin();
 
-	if (asprintf(&root_anchor_tempfile, "%s.%d-0", root_anchor_file,
-	    getpid()) == -1) {
+	s = strdup(root_anchor_file);
+	if (s == NULL ||
+	    asprintf(&root_anchor_temppath, "%s", dirname(s)) == -1) {
 		if(verb) printf("out of memory\n");
 		exit(0);
 	}
-
-	if (unveil(root_anchor_file, "rwc") == -1)
-		err(1, "unveil");
-	if (unveil(root_anchor_tempfile, "rwc") == -1)
+	if (unveil(root_anchor_temppath, "rwc") == -1)
 		err(1, "unveil");
+	free(root_anchor_temppath);
+	free(s);
 	if (unveil(root_cert_file, "r") == -1)
 		err(1, "unveil");
 	if (res_conf != NULL && unveil(res_conf, "r") == -1)