[Bug 2031398] Re: execve (/bin/true, ...): Permission denied printed, when cloud-init-local run
Christian Ehrhardt
2031398 at bugs.launchpad.net
Wed Aug 23 08:52:07 UTC 2023
*** This bug is a duplicate of bug 2011628 ***
https://bugs.launchpad.net/bugs/2011628
Thank,
Calvin and I looked at it and you are right.
This is in cloud-init since [1] and used -sf as in [2] to avoid any side effects by the content of that file.
=> "... If unspecified, the default /sbin/dhclient-script is used. ..."
I think it should be safe to allow execution of that as a common pattern
to avoid falling back to the default.
For the severity we need to find out, if
a) call dhclient with -sf /bin/true to do nothing
isn't just the same as
b) call dhclient with -sf /bin/true, get denied, but do everything else the same
If they are the same then this would only cause the annoying log message.
If they actually behave different
We can recreate this in a VM:
ubuntu at l:~$ sudo dhclient -v -1 -sf /bin/true
Internet Systems Consortium DHCP Client 4.4.3-P1
Copyright 2004-2022 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
execve (/bin/true, ...): Permission denied
Listening on LPF/enp1s0/52:54:00:be:7a:d2
Sending on LPF/enp1s0/52:54:00:be:7a:d2
Sending on Socket/fallback
xid: warning: no netdev with useable HWADDR found for seed's uniqueness enforcement
xid: rand init seed (0x649ac969) built using gethostid
DHCPREQUEST for 192.168.122.239 on enp1s0 to 255.255.255.255 port 67 (xid=0x7ee9d4f5)
DHCPACK of 192.168.122.239 from 192.168.122.1 (xid=0xf5d4e97e)
execve (/bin/true, ...): Permission denied
bound to 192.168.122.239 -- renewal in 1781 seconds.
ubuntu at l:~$ echo $?
0
We see it is denied, but otherwise happy.
So my point is.
We try to use -sf /bin/true so it does not execute anything with a side-effect
Being denied by apparmor means no side-effect happens.
So - as assumed - the only "impact" is the annoying log message.
[1]: https://git.launchpad.net/cloud-init/commit/?id=d5f855dd96ccbea77f61b0515b574ad2c43d116d
[2]: https://manpages.ubuntu.com/manpages/jammy/man8/dhclient.8.html
** Changed in: isc-dhcp (Ubuntu)
Importance: Undecided => Low
** Changed in: cloud-init (Ubuntu)
Importance: Undecided => Low
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/2031398
Title:
execve (/bin/true, ...): Permission denied printed,when cloud-init-
local run
Status in cloud-init package in Ubuntu:
Invalid
Status in isc-dhcp package in Ubuntu:
Triaged
Bug description:
In cloud-init-local stage , using dhclient command to discovery ip and getting metadata from meta-server.
The command which cloud-init-local execute is '/usr/sbin/dhclient -1 -v -lf /run/dhclient.lease -pf /run/dhclient.pid eth0 -sf /bin/true'. However, when the apparmor service is loaded, the kernel prevents the /usr/sbin/dhclient command from executing scripts other than /sbin/dhclient-script. And when the -sf parameter is used in cloud-init-local to specify the execution of /bin/true, this error occurs during the execve call in the dhclient process.
lsb_release -rd:
Description: Ubuntu 22.04.2 LTS
Release: 22.04
cloud-init : 23.1.2-0ubuntu0~22.04.1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/2031398/+subscriptions
More information about the foundations-bugs
mailing list