[Bug 341817] Re: dhcpd wont start due to rndc.key permissions

Jamie Strandboge jamie at ubuntu.com
Fri Jun 29 11:09:23 UTC 2012 

This seems reasonable to me as well. There is no reason to prevent the
server from reading rndc.key as it is strictly required by the server
when its setup to use rndc. Since we (finally) determined that
/etc/bind/rndc.key is the documented place for the file, it makes sense
to me to add it to the profile. In reading the various manpages, we
should also be including /etc/bind/rndc.conf as well (man rndc.conf).

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/341817

Title:
  dhcpd wont start due to rndc.key permissions

Status in “isc-dhcp” package in Ubuntu:
  Fix Committed

Bug description:
  Binary package hint: dhcp3-server

  System information:
  #lsb_release -rd
  Description:    Ubuntu 8.04.1
  Release:        8.04
  #apt-cache policy dhcp3-server
  dhcp3-server:
    Installed: 3.0.6.dfsg-1ubuntu9
    Candidate: 3.0.6.dfsg-1ubuntu9
    Version table:
   *** 3.0.6.dfsg-1ubuntu9 0
          500 http://nl.archive.ubuntu.com hardy/main Packages
          100 /var/lib/dpkg/status
  #apt-cache policy bind9
  bind9:
    Installed: 1:9.4.2.dfsg.P2-2ubuntu0.1
    Candidate: 1:9.4.2.dfsg.P2-2ubuntu0.1
    Version table:
   *** 1:9.4.2.dfsg.P2-2ubuntu0.1 0
          500 http://nl.archive.ubuntu.com hardy-updates/main Packages
          500 http://security.ubuntu.com hardy-security/main Packages
          100 /var/lib/dpkg/status
       1:9.4.2-10 0
          500 http://nl.archive.ubuntu.com hardy/main Packages

  Problem:
  dhcpd wont start - "/etc/bind/rndc.key: Permission denied"
  Workaround found but is a potential security issue ("/etc/bind/rndc.conf" world readable)

  Brief:
  Trying to get dhcp3-server and bind9 to work together nicely.
  The "/etc/bind/rndc.key" file is owned by bind:bind w. 640 perms by default and dhcpd3 process runs under user "dhcpd". Adding user "dhcpd" to group "bind" does not seem to work. Permissions of "/etc/bind/rndc.key" need to be changed to 644 for dhcp3-server to start (I could find no other solution - after a few hours of google and 30 minutes of play, at least ;-)

  Steps:
  - Install & configure bind9 (configuration tested and working)
  - Install & configure dhcp3-server
  - sudo /etc/init.d/dhcp3-server start

  Expected result:
  dhcpd starts

  Actual result:
  #/etc/init.d/dhcp3-server start
  dhcpd self-test failed. Please fix the config file.
  The error was:
  Can't open /etc/bind/rndc.key: Permission denied
  #ls -l `which dhcpd3`
  -rwxr-xr-x 1 root root 516164 2008-04-02 15:38 /usr/sbin/dhcpd3
  #ls -l /etc/bind/rndc.key
  -rw-r----- 1 bind bind 77 2009-03-12 14:30 /etc/bind/rndc.key
  #id -a dhcpd
  uid=111(dhcpd) gid=122(dhcpd) groups=122(dhcpd),121(bind)

  Workaround:
  - Change permissions of /etc/bind/rndc.key to world readable (from 640 -> 644)
    note: adding 'dhcpd' user to 'bind' group does not work for some reason
  - Start dhcpd:
  #chmod 644 /etc/bind/rndc.key
  #/etc/init.d/dhcp3-server start
   * Starting DHCP server dhcpd3                                                                                         [ OK ]
  #ps -ef | grep dhcpd
  dhcpd     3292     1  0 17:11 ?        00:00:00 /usr/sbin/dhcpd3 -q -pf /var/run/dhcp3-server/dhcpd.pid -cf /etc/dhcp3/dhcpd.conf eth0
  root      3298  3090  0 17:11 pts/0    00:00:00 grep dhcpd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/341817/+subscriptions

More information about the foundations-bugs mailing list