libc: Don't update resolv.conf on signature mismatch

Apparently some users just don't want to set resolvconf=NO or
libc=NO in resolvconf.conf and do not expect resolvconf to
overwrite their lovingly hand crafted file by default.

This is fair, so only udpate resolv.conf if it's signature
matches our expectation.
If it does not match, warn noisly about it and prompt
running `resolvconf -u` to fix it.

Author: rsmarples

libc.in

@@ -34,9 +34,18 @@ KEYDIR="$VARDIR/keys"
 if [ ! -d "$KEYDIR" ] && [ -d "$VARDIR/interfaces" ]; then
 	KEYDIR="$VARDIR/interfaces"
 fi
+
+CMD="$1"
+KEY="$2"
+
 NL="
 "
 
+warn()
+{
+	echo "$(basename $0): $*" >&2
+}
+
 # sed may not be available, and this is faster on small files
 key_get_value()
 {
@@ -113,7 +122,6 @@ then
 	resolv_conf_tail="$(cat "$SYSCONFDIR"/resolv.conf.tail)"
 fi
 
-backup=true
 signature="# Generated by resolvconf"
 
 uniqify()
@@ -131,15 +139,14 @@ uniqify()
 
 case "${resolv_conf_passthrough:-NO}" in
 [Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]|[Oo][Nn]|1)
-	backup=false
 	newest=
 	for conf in "$KEYDIR"/*; do
 		if [ -z "$newest" ] || [ "$conf" -nt "$newest" ]; then
 			newest="$conf"
 		fi
 	done
 	[ -z "$newest" ] && exit 0
-	newconf="$(cat "$newest")$NL"
+	newconf="$signature$NL$(cat "$newest")$NL"
 	;;
 /dev/null|[Nn][Uu][Ll][Ll])
 	: ${resolv_conf_local_only:=NO}
@@ -215,33 +222,28 @@ esac
 
 # Check if the file has actually changed or not
 if [ -e "$resolv_conf" ]; then
-	[ "$(cat "$resolv_conf")" = "$(printf %s "$newconf")" ] && exit 0
-fi
-
-# Change is good.
-# If the old file does not have our signature, back it up.
-# If the new file just has our signature, restore the backup.
-if $backup; then
-	if [ "$newconf" = "$signature$NL" ]; then
-		case "${resolv_conf_restore:=YES}" in
-		[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]|[Oo][Nn]|1)
-			if [ -e "$resolv_conf.bak" ]; then
-				newconf="$(cat "$resolv_conf.bak")$NL"
-			fi
-			;;
-		esac
-	elif [ -e "$resolv_conf" ]; then
-		read line <"$resolv_conf"
-		if [ "$line" != "$signature" ]; then
-			cp "$resolv_conf" "$resolv_conf.bak"
+	if [ "$CMD" != u ] && \
+	    [ "$(cat "$resolv_conf")" = "$(printf %s "$newconf")" ]
+	then
+		exit 0
+	fi
+	read line <"$resolv_conf"
+	if [ "$line" != "$signature" ]; then
+		if [ "$CMD" != u ]; then
+			warn "signature mismatch: $resolv_conf"
+			warn "run \`resolvconf -u\` to update"
+			exit 1
 		fi
+		cp "$resolv_conf" "$resolv_conf.bak"
 	fi
 fi
 
 # There are pros and cons for writing directly to resolv.conf
 # instead of a temporary file and then moving it over.
 # The default is to write to resolv.conf as it has the least
 # issues and has been the long standing default behaviour.
+# resolv.conf could also be bind mounted for network namespaces
+# so we cannot move in this instance.
 case "${resolv_conf_mv:-NO}" in
 [Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]|[Oo][Nn]|1)
 	# Protect against symlink attack, ensure new file does not exist

resolvconf.8.in

@@ -22,7 +22,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd June 24, 2025
+.Dd June 26, 2025
 .Dt RESOLVCONF 8
 .Os
 .Sh NAME
@@ -78,6 +78,14 @@ instead of the filesystem.
 then updates
 .Pa /etc/resolv.conf
 as it thinks best.
+If
+.Pa /etc/resolv.conf
+already exists and the top line does not match the expected signature,
+then
+.Nm
+will refuse to update it unless the
+.Fl u
+update command is given.
 When a local resolver other than libc is installed, such as
 .Xr dnsmasq 8
 or
@@ -111,20 +119,6 @@ outside of
 .Nm .
 .Pp
 .Nm
-assumes it has a job to do.
-In some situations
-.Nm
-needs to act as a deterrent to writing to
-.Pa /etc/resolv.conf .
-Where this file cannot be made immutable or you just need to toggle this
-behaviour,
-.Nm
-can be disabled by adding
-.Sy resolvconf Ns = Ns NO
-to
-.Xr resolvconf.conf 5 .
-.Pp
-.Nm
 can mark a
 .Pa resolv.conf
 as private and optionally non-searchable.