[Bug 341817] Re: dhcpd wont start due to rndc.key permissions

Jamie Strandboge jamie at ubuntu.com
Fri Jun 29 12:11:30 UTC 2012 

So, in thinking about and discussing this more, I would like to justify
my position somewhat: while I am not super happy about the added
permission given to dhcpd, I do think that people who install both dhcpd
and bind9 on the same system will tend to use dynamic updates, and at
least some of those people are disabling AppArmor to work around this
bug, resulting in a decrease in security for these users. For dhcpd
servers that don't have bind9 installed (I would imagine most), this
change does nothing because rndc.key doesn't exist.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/341817

Title:
  dhcpd wont start due to rndc.key permissions

Status in “isc-dhcp” package in Ubuntu:
  Fix Committed

Bug description:
  Binary package hint: dhcp3-server

  System information:
  #lsb_release -rd
  Description:    Ubuntu 8.04.1
  Release:        8.04
  #apt-cache policy dhcp3-server
  dhcp3-server:
    Installed: 3.0.6.dfsg-1ubuntu9
    Candidate: 3.0.6.dfsg-1ubuntu9
    Version table:
   *** 3.0.6.dfsg-1ubuntu9 0
          500 http://nl.archive.ubuntu.com hardy/main Packages
          100 /var/lib/dpkg/status
  #apt-cache policy bind9
  bind9:
    Installed: 1:9.4.2.dfsg.P2-2ubuntu0.1
    Candidate: 1:9.4.2.dfsg.P2-2ubuntu0.1
    Version table:
   *** 1:9.4.2.dfsg.P2-2ubuntu0.1 0
          500 http://nl.archive.ubuntu.com hardy-updates/main Packages
          500 http://security.ubuntu.com hardy-security/main Packages
          100 /var/lib/dpkg/status
       1:9.4.2-10 0
          500 http://nl.archive.ubuntu.com hardy/main Packages

  Problem:
  dhcpd wont start - "/etc/bind/rndc.key: Permission denied"
  Workaround found but is a potential security issue ("/etc/bind/rndc.conf" world readable)

  Brief:
  Trying to get dhcp3-server and bind9 to work together nicely.
  The "/etc/bind/rndc.key" file is owned by bind:bind w. 640 perms by default and dhcpd3 process runs under user "dhcpd". Adding user "dhcpd" to group "bind" does not seem to work. Permissions of "/etc/bind/rndc.key" need to be changed to 644 for dhcp3-server to start (I could find no other solution - after a few hours of google and 30 minutes of play, at least ;-)

  Steps:
  - Install & configure bind9 (configuration tested and working)
  - Install & configure dhcp3-server
  - sudo /etc/init.d/dhcp3-server start

  Expected result:
  dhcpd starts

  Actual result:
  #/etc/init.d/dhcp3-server start
  dhcpd self-test failed. Please fix the config file.
  The error was:
  Can't open /etc/bind/rndc.key: Permission denied
  #ls -l `which dhcpd3`
  -rwxr-xr-x 1 root root 516164 2008-04-02 15:38 /usr/sbin/dhcpd3
  #ls -l /etc/bind/rndc.key
  -rw-r----- 1 bind bind 77 2009-03-12 14:30 /etc/bind/rndc.key
  #id -a dhcpd
  uid=111(dhcpd) gid=122(dhcpd) groups=122(dhcpd),121(bind)

  Workaround:
  - Change permissions of /etc/bind/rndc.key to world readable (from 640 -> 644)
    note: adding 'dhcpd' user to 'bind' group does not work for some reason
  - Start dhcpd:
  #chmod 644 /etc/bind/rndc.key
  #/etc/init.d/dhcp3-server start
   * Starting DHCP server dhcpd3                                                                                         [ OK ]
  #ps -ef | grep dhcpd
  dhcpd     3292     1  0 17:11 ?        00:00:00 /usr/sbin/dhcpd3 -q -pf /var/run/dhcp3-server/dhcpd.pid -cf /etc/dhcp3/dhcpd.conf eth0
  root      3298  3090  0 17:11 pts/0    00:00:00 grep dhcpd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/341817/+subscriptions

More information about the foundations-bugs mailing list