[Bug 341817] Re: dhcpd wont start due to rndc.key permissions
Launchpad Bug Tracker
341817 at bugs.launchpad.net
Tue Jul 3 14:35:17 UTC 2012
This bug was fixed in the package isc-dhcp - 4.2.4-1ubuntu1
---------------
isc-dhcp (4.2.4-1ubuntu1) quantal; urgency=low
* Merge from Debian. Remaining changes:
(LP: #768171, LP: #841182, LP: #881558, LP: #872929, LP: #616809)
- Use upstart jobs for isc-dhcp-server and isc-dhcp-relay.
- Add IPv6 support to udeb dhclient-script (forwarded as Debian #635897).
- Add an apport hook to isc-dhcp-client and isc-dhcp-server.
- Add an apparmor profile to isc-dhcp-client and isc-dhcp-server.
- Update default dhclient.conf to ask for IPv6 configuration.
- Patches:
+ dhclient-fix-backoff
+ dhclient-more-debug
+ dhclient-onetry-call-clientscript
+ dhclient-safer-timeout
+ dhcpd.conf-subnet-examples
+ multi-ip-addr-per-if
+ onetry_retry_after_initial_success
+ revert-next-server
* Set fqdn.fqdn to the result of gethostname(); (LP: #991360)
* Replace old droppriv and deroot patches by use of --enable-paranoia
and matching -user and -group parameters to dhcpd. (LP: #727837)
* Allow read access to /etc/dhcp/ddns-keys/* for ddns. (LP: #341817)
It's expected that people generate one key per zone and have it stored
in both /etc/bind9 and /etc/dhcp/ddns-keys/ for security reason.
* Fix apport hook to work with python3.
isc-dhcp (4.2.4-1) unstable; urgency=low
* New upstream release
* debian/control: reformatted Uploaders so that dch doesn't think I'm making
NMUs
* debian/rules: do a clean between the LDAP-enabled build and the
non-LDAP-enabled one, so that no LDAP-related artefacts are accidently
incorporated into the non-LDAP build
* debian/dhclient-script.*: conditionalise the chown/chmod of the new
resolv.conf on the existence of the old one (closes: #595400)
* debian/dhclient-script.linux: comply with RFC 3442 and ignore
the routers option if the rfc3442-classless-static-routes option is present
(closes: #592735)
* debian/dhclient-script.kfreebsd: fix subnet mask handling (closes: #677985)
isc-dhcp (4.2.2.dfsg.1-5) unstable; urgency=medium
[ Andrew Pollock ]
* debian/dhclient.conf: send the hostname (closes: #151820)
[ Michael Gilbert ]
* Fix cve-2011-4868: error in DDNS handling with IPv6 (closes: #655746)
* Fix cve-2011-4539: error in regular expression handling
(closes: #652259)
* Make dependencies diff-able
* Add myself to uploaders
* Remove all automatically generated files in clean rule
* Medium urgency for security updates
isc-dhcp (4.2.2.dfsg.1-4) unstable; urgency=low
* The "Zoe woke up at 4am and I couldn't get back to sleep so I had some
extra time to work on this" release
* patch the Makefile for the embedded BIND libraries so that autoconf is run
so that the modification to configure.in to fix the FTBFS on kFreeBSD
actually does something useful (closes: #643569)
isc-dhcp (4.2.2.dfsg.1-3) unstable; urgency=low
* debian/control: remove transitional packages
* debian/rules: apply the intent of Pierre Chifflier's patch to enable
hardening options (closes: #644413)
* debian/control: also add inetutils-ping to the dependencies for
isc-dhcp-client on hurd (closes: #648140)
* Convert to 3.0 (quilt) source format:
- debian/control: remove build-dep on dpatch
- debian/rules: stop including dpatch.make
- debian/rules: remove dpatch-related target dependencies
- convert patches from dpatch to pure quilt
- remove debian/README.source
* debian/rules: cleaned up the target names a bit to reflect the lack of
patching going on now
* repack bind.tar.gz in upstream source tarball to patch configure.in for
FTBFS on kFreeBSD and remove RFCs (closes: #643569, #645760)
* debian/watch: add dversionmangle to deal with dfsg upstream tarball
* Updated Dutch debconf template translation (closes: #651396)
* Added Polish debconf template translation (closes: #659372)
* Updated Brazilian Portugeuse debconf template translation (closes: #663494)
* debian/control: bumped Standards-Version (no changes)
isc-dhcp (4.2.2-2) unstable; urgency=low
* debian/rules: use dpkg-buildflags to set CFLAGS, and export CFLAGS (closes:
#643470)
* debian/dhclient.conf: revert hostname setting behaviour to something
equivalent to what upstream ships to avoid surprising people with unwanted
hostname changes when changing networks (closes: #648676)
* debian/dhclient-script.kfreebsd: apply patch from Robert Millan to resync
dhclient-script with FreeBSD version (closes: #645502)
* debian/control: add inetutils-ping to the dependencies for isc-dhcp-client
on kfreebsd (closes: #648140)
* Updated German debconf template translation (closes: #641843)
* added harding-wrapper to build dependencies and invoke it in debian/rules
(closes: #611192)
isc-dhcp (4.2.2-1) unstable; urgency=low
* New upstream release, includes security fixes for CVE-2011-2748 and
CVE-2011-2749 (closes: #638404)
* Remove obsolete patches, refit remaining patches
* Remove LDAP patch, it's finally upstream now (yay!)
* debian/rules: adjust double build for the non-existence of the LDAP patch
* debian/isc-dhcp-server-ldap.docs: update for new location of documentation
* debian/rules: added build-arch and build-indep targets
* debian/rules: applied patch from Kees Cook to call dh_link (closes: #614992)
* debian/dhclient-script.linux: applied patch from Colin Watson to make
dhclient-script support stateless DHCPv6 (closes: #632888)
* debian/dhclient-script.linux: fix regression for MTU <= 576 handling
(closes: #638267)
* Apply patch from Peter Marschall to split the rfc3442-classless-routes hook
into a Linux and a kFreeBSD variant, so that the Linux one can use iproute
(closes: #630519)
* debian/isc-dhcp-server.postinst: apply patch from Peter Marschall to
document new variables in /etc/default/isc-dhcp-server
* debian/isc-dhcp-server.init.d: apply patch from Peter Marschall to
- make the name of the default file configurable
- make the name of the server configuration file configurable (closes:
#590158, #565650)
- allow passing additional options to dhcpd (closes: #613734)
- read PID from config file
* Add Catalan debconf template translation (closes: #628372)
* debian/isc-dhcp-client,dhcp3-client}.links: apply patch from Peter
Marschall to move old compatibility links to the old compatibility package
(closes: #614992)
* debian/isc-dhcp-server.postinst: apply patch from Peter Marschall to fix
comment in /etc/default/isc-dhcp-server (closes: #616417)
* debian/control: apply patch from Peter Marschall to add a Provides:
dhcp-client to isc-dhcp-client (closes: #236001)
* debian/dhclient-script.{linux,kfreebsd}: apply patch from Peter Marschall
to fix metric calculation (closes: #629632)
* debian/dhclient-script.linux: apply patches from Peter Marschall to support
IPv6 link-local resolvers
* debian/dhclient-script.{linux,kfreebsd}: applied patch from Peter Marschall
to factor out the hostname setting to a separate function
* debian/dhclient-script.{linux,kfreebsd}: applied patch from Peter Marschall
to harmonize the logic for setting the hostname (closes: #246155)
* apply patch from Peter Marschall to use one common script for the debug
hooks
* debian/rfc3442-classless-routes.{linux,kfreebsd}: applied patch from Peter
Marschall to take care of link-local routes (closes: #521024)
* debian/dhclient-script.*: apply patch from Peter Marschall to use alternate
value expansion
* debian/isc-dhcp-server.postinst: eliminate an error message from sed if no
interfaces are provided
-- Stephane Graber <stgraber at ubuntu.com> Tue, 03 Jul 2012 09:54:00 -0400
** Changed in: isc-dhcp (Ubuntu)
Status: Fix Committed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-2748
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-2749
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/341817
Title:
dhcpd wont start due to rndc.key permissions
Status in “isc-dhcp” package in Ubuntu:
Fix Released
Bug description:
Binary package hint: dhcp3-server
System information:
#lsb_release -rd
Description: Ubuntu 8.04.1
Release: 8.04
#apt-cache policy dhcp3-server
dhcp3-server:
Installed: 3.0.6.dfsg-1ubuntu9
Candidate: 3.0.6.dfsg-1ubuntu9
Version table:
*** 3.0.6.dfsg-1ubuntu9 0
500 http://nl.archive.ubuntu.com hardy/main Packages
100 /var/lib/dpkg/status
#apt-cache policy bind9
bind9:
Installed: 1:9.4.2.dfsg.P2-2ubuntu0.1
Candidate: 1:9.4.2.dfsg.P2-2ubuntu0.1
Version table:
*** 1:9.4.2.dfsg.P2-2ubuntu0.1 0
500 http://nl.archive.ubuntu.com hardy-updates/main Packages
500 http://security.ubuntu.com hardy-security/main Packages
100 /var/lib/dpkg/status
1:9.4.2-10 0
500 http://nl.archive.ubuntu.com hardy/main Packages
Problem:
dhcpd wont start - "/etc/bind/rndc.key: Permission denied"
Workaround found but is a potential security issue ("/etc/bind/rndc.conf" world readable)
Brief:
Trying to get dhcp3-server and bind9 to work together nicely.
The "/etc/bind/rndc.key" file is owned by bind:bind w. 640 perms by default and dhcpd3 process runs under user "dhcpd". Adding user "dhcpd" to group "bind" does not seem to work. Permissions of "/etc/bind/rndc.key" need to be changed to 644 for dhcp3-server to start (I could find no other solution - after a few hours of google and 30 minutes of play, at least ;-)
Steps:
- Install & configure bind9 (configuration tested and working)
- Install & configure dhcp3-server
- sudo /etc/init.d/dhcp3-server start
Expected result:
dhcpd starts
Actual result:
#/etc/init.d/dhcp3-server start
dhcpd self-test failed. Please fix the config file.
The error was:
Can't open /etc/bind/rndc.key: Permission denied
#ls -l `which dhcpd3`
-rwxr-xr-x 1 root root 516164 2008-04-02 15:38 /usr/sbin/dhcpd3
#ls -l /etc/bind/rndc.key
-rw-r----- 1 bind bind 77 2009-03-12 14:30 /etc/bind/rndc.key
#id -a dhcpd
uid=111(dhcpd) gid=122(dhcpd) groups=122(dhcpd),121(bind)
Workaround:
- Change permissions of /etc/bind/rndc.key to world readable (from 640 -> 644)
note: adding 'dhcpd' user to 'bind' group does not work for some reason
- Start dhcpd:
#chmod 644 /etc/bind/rndc.key
#/etc/init.d/dhcp3-server start
* Starting DHCP server dhcpd3 [ OK ]
#ps -ef | grep dhcpd
dhcpd 3292 1 0 17:11 ? 00:00:00 /usr/sbin/dhcpd3 -q -pf /var/run/dhcp3-server/dhcpd.pid -cf /etc/dhcp3/dhcpd.conf eth0
root 3298 3090 0 17:11 pts/0 00:00:00 grep dhcpd
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/341817/+subscriptions
More information about the foundations-bugs
mailing list