[Bug 341817] Re: dhcpd wont start due to rndc.key permissions

Marc Deslauriers marc.deslauriers at canonical.com
Fri Jun 29 12:27:52 UTC 2012 

OK, now that I've thought about this some more, we should _not_ be
allowing the dhcp server to read the rndc.key.

The rndc.key key isn't for dynamic updates, it's for use by the rndc
utility for server management. It would typically be used by sysadmins
inside the "controls" statement in the config file.

Reusing this same key for dynamic updates is a security issue, as it may
allow more permissions than what is intended. Dynamic updates should be
using other keys, not that particular one.

Perhaps we should define a standard location for dynamic update keys
that could be used by both bind9 and dhcp, and we could add that to the
apparmor profile...perhaps a "keys" subdirectory?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/341817

Title:
  dhcpd wont start due to rndc.key permissions

Status in “isc-dhcp” package in Ubuntu:
  Fix Committed

Bug description:
  Binary package hint: dhcp3-server

  System information:
  #lsb_release -rd
  Description:    Ubuntu 8.04.1
  Release:        8.04
  #apt-cache policy dhcp3-server
  dhcp3-server:
    Installed: 3.0.6.dfsg-1ubuntu9
    Candidate: 3.0.6.dfsg-1ubuntu9
    Version table:
   *** 3.0.6.dfsg-1ubuntu9 0
          500 http://nl.archive.ubuntu.com hardy/main Packages
          100 /var/lib/dpkg/status
  #apt-cache policy bind9
  bind9:
    Installed: 1:9.4.2.dfsg.P2-2ubuntu0.1
    Candidate: 1:9.4.2.dfsg.P2-2ubuntu0.1
    Version table:
   *** 1:9.4.2.dfsg.P2-2ubuntu0.1 0
          500 http://nl.archive.ubuntu.com hardy-updates/main Packages
          500 http://security.ubuntu.com hardy-security/main Packages
          100 /var/lib/dpkg/status
       1:9.4.2-10 0
          500 http://nl.archive.ubuntu.com hardy/main Packages

  Problem:
  dhcpd wont start - "/etc/bind/rndc.key: Permission denied"
  Workaround found but is a potential security issue ("/etc/bind/rndc.conf" world readable)

  Brief:
  Trying to get dhcp3-server and bind9 to work together nicely.
  The "/etc/bind/rndc.key" file is owned by bind:bind w. 640 perms by default and dhcpd3 process runs under user "dhcpd". Adding user "dhcpd" to group "bind" does not seem to work. Permissions of "/etc/bind/rndc.key" need to be changed to 644 for dhcp3-server to start (I could find no other solution - after a few hours of google and 30 minutes of play, at least ;-)

  Steps:
  - Install & configure bind9 (configuration tested and working)
  - Install & configure dhcp3-server
  - sudo /etc/init.d/dhcp3-server start

  Expected result:
  dhcpd starts

  Actual result:
  #/etc/init.d/dhcp3-server start
  dhcpd self-test failed. Please fix the config file.
  The error was:
  Can't open /etc/bind/rndc.key: Permission denied
  #ls -l `which dhcpd3`
  -rwxr-xr-x 1 root root 516164 2008-04-02 15:38 /usr/sbin/dhcpd3
  #ls -l /etc/bind/rndc.key
  -rw-r----- 1 bind bind 77 2009-03-12 14:30 /etc/bind/rndc.key
  #id -a dhcpd
  uid=111(dhcpd) gid=122(dhcpd) groups=122(dhcpd),121(bind)

  Workaround:
  - Change permissions of /etc/bind/rndc.key to world readable (from 640 -> 644)
    note: adding 'dhcpd' user to 'bind' group does not work for some reason
  - Start dhcpd:
  #chmod 644 /etc/bind/rndc.key
  #/etc/init.d/dhcp3-server start
   * Starting DHCP server dhcpd3                                                                                         [ OK ]
  #ps -ef | grep dhcpd
  dhcpd     3292     1  0 17:11 ?        00:00:00 /usr/sbin/dhcpd3 -q -pf /var/run/dhcp3-server/dhcpd.pid -cf /etc/dhcp3/dhcpd.conf eth0
  root      3298  3090  0 17:11 pts/0    00:00:00 grep dhcpd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/341817/+subscriptions

More information about the foundations-bugs mailing list