[Bug 341817] Re: dhcpd wont start due to rndc.key permissions

Stéphane Graber stgraber at stgraber.org
Fri Jun 29 14:39:57 UTC 2012 

After some more discussion, what will be allowed is:
 /etc/dhcp/ddns-keys/** r,

That directory will be created at install time, owned by root:dhcpd and
mode 750. The apparmor rule comment and the changelog will both
encourage people to generate separate keys and copy them into that
directory.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/341817

Title:
  dhcpd wont start due to rndc.key permissions

Status in “isc-dhcp” package in Ubuntu:
  Fix Committed

Bug description:
  Binary package hint: dhcp3-server

  System information:
  #lsb_release -rd
  Description:    Ubuntu 8.04.1
  Release:        8.04
  #apt-cache policy dhcp3-server
  dhcp3-server:
    Installed: 3.0.6.dfsg-1ubuntu9
    Candidate: 3.0.6.dfsg-1ubuntu9
    Version table:
   *** 3.0.6.dfsg-1ubuntu9 0
          500 http://nl.archive.ubuntu.com hardy/main Packages
          100 /var/lib/dpkg/status
  #apt-cache policy bind9
  bind9:
    Installed: 1:9.4.2.dfsg.P2-2ubuntu0.1
    Candidate: 1:9.4.2.dfsg.P2-2ubuntu0.1
    Version table:
   *** 1:9.4.2.dfsg.P2-2ubuntu0.1 0
          500 http://nl.archive.ubuntu.com hardy-updates/main Packages
          500 http://security.ubuntu.com hardy-security/main Packages
          100 /var/lib/dpkg/status
       1:9.4.2-10 0
          500 http://nl.archive.ubuntu.com hardy/main Packages

  Problem:
  dhcpd wont start - "/etc/bind/rndc.key: Permission denied"
  Workaround found but is a potential security issue ("/etc/bind/rndc.conf" world readable)

  Brief:
  Trying to get dhcp3-server and bind9 to work together nicely.
  The "/etc/bind/rndc.key" file is owned by bind:bind w. 640 perms by default and dhcpd3 process runs under user "dhcpd". Adding user "dhcpd" to group "bind" does not seem to work. Permissions of "/etc/bind/rndc.key" need to be changed to 644 for dhcp3-server to start (I could find no other solution - after a few hours of google and 30 minutes of play, at least ;-)

  Steps:
  - Install & configure bind9 (configuration tested and working)
  - Install & configure dhcp3-server
  - sudo /etc/init.d/dhcp3-server start

  Expected result:
  dhcpd starts

  Actual result:
  #/etc/init.d/dhcp3-server start
  dhcpd self-test failed. Please fix the config file.
  The error was:
  Can't open /etc/bind/rndc.key: Permission denied
  #ls -l `which dhcpd3`
  -rwxr-xr-x 1 root root 516164 2008-04-02 15:38 /usr/sbin/dhcpd3
  #ls -l /etc/bind/rndc.key
  -rw-r----- 1 bind bind 77 2009-03-12 14:30 /etc/bind/rndc.key
  #id -a dhcpd
  uid=111(dhcpd) gid=122(dhcpd) groups=122(dhcpd),121(bind)

  Workaround:
  - Change permissions of /etc/bind/rndc.key to world readable (from 640 -> 644)
    note: adding 'dhcpd' user to 'bind' group does not work for some reason
  - Start dhcpd:
  #chmod 644 /etc/bind/rndc.key
  #/etc/init.d/dhcp3-server start
   * Starting DHCP server dhcpd3                                                                                         [ OK ]
  #ps -ef | grep dhcpd
  dhcpd     3292     1  0 17:11 ?        00:00:00 /usr/sbin/dhcpd3 -q -pf /var/run/dhcp3-server/dhcpd.pid -cf /etc/dhcp3/dhcpd.conf eth0
  root      3298  3090  0 17:11 pts/0    00:00:00 grep dhcpd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/341817/+subscriptions

More information about the foundations-bugs mailing list