I wonder, noone provides a real solution for this bug ... AFTER MORE
THAN 3 YEARS.
It is not a bug! But it looks like nobody documented the changes.
Simply chown the rndc.key-File to root:root. Start the dhcp server! That's it!
$ sudo chown dhcpd: rndc.key
$ sudo service isc-dhcp-server start
st
This bug was fixed in the package isc-dhcp - 4.2.4-1ubuntu1
---
isc-dhcp (4.2.4-1ubuntu1) quantal; urgency=low
* Merge from Debian. Remaining changes:
(LP: #768171, LP: #841182, LP: #881558, LP: #872929, LP: #616809)
- Use upstart jobs for isc-dhcp-server and isc-dhcp-relay.
After some more discussion, what will be allowed is:
/etc/dhcp/ddns-keys/** r,
That directory will be created at install time, owned by root:dhcpd and
mode 750. The apparmor rule comment and the changelog will both
encourage people to generate separate keys and copy them into that
directory.
--
Most of the example dynamic dns configs and howtos that are available on
the internet aren't secure, as they use the rndc.key and require the
dhcpd user to the bind group, both of which compromise security.
A new key should be generated for dynamic dns updates, as described in
the dhcpd.conf man p
I like this idea much better. Whether packaging creates a special
dynamic dns updates key or uses a keys directory, these keys are
actually specifically designed for use with dynamic updates and totally
appropriate to add to the apparmor profile. Unrelated to this bug, if
packaging is being adjuste
OK, now that I've thought about this some more, we should _not_ be
allowing the dhcp server to read the rndc.key.
The rndc.key key isn't for dynamic updates, it's for use by the rndc
utility for server management. It would typically be used by sysadmins
inside the "controls" statement in the confi
So, in thinking about and discussing this more, I would like to justify
my position somewhat: while I am not super happy about the added
permission given to dhcpd, I do think that people who install both dhcpd
and bind9 on the same system will tend to use dynamic updates, and at
least some of those
Actually, strike that-- I was thinking about the bind9 server needing
these permissions. isc-dhcp should *not* have read access to
/etc/bind/rndc.conf, please disregard that request.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
http
This seems reasonable to me as well. There is no reason to prevent the
server from reading rndc.key as it is strictly required by the server
when its setup to use rndc. Since we (finally) determined that
/etc/bind/rndc.key is the documented place for the file, it makes sense
to me to add it to the
** Changed in: isc-dhcp (Ubuntu)
Status: Confirmed => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/341817
Title:
dhcpd wont start due to rndc.key permissions
To manage notific
I do believe having the dhcp server setup with dynamic dns is a
recommended setup, so I think adding read access to /etc/bind/rndc.key
to the dhcp server apparmor profile is a reasonable thing to do. (bug
727837 probably needs to be fixed also for this to ultimately work).
** Changed in: isc-dhcp
Marking Incomplete to reflect the fact that I'm blocked on feedback from
the security team.
** Changed in: isc-dhcp (Ubuntu)
Status: Triaged => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.n
Subscribing ubuntu-security for a go/no-go on adding rdnc.key to the
apparmor profile so that users can simply add dhcpd to the bind group,
thereby allowing access to the key.
** Changed in: isc-dhcp (Ubuntu)
Importance: Undecided => Wishlist
--
You received this bug notification because you
opps, ignore that. meant for other bug.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/341817
Title:
dhcpd wont start due to rndc.key permissions
To manage notifications about this bug go to:
https
install finished and rebooted.. I need to get back into the installer
shell and see if I can run apt-avahi-discover
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/341817
Title:
dhcpd wont start due t
** Package changed: dhcp3 (Ubuntu) => isc-dhcp (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/341817
Title:
dhcpd wont start due to rndc.key permissions
To manage notifications about this b
I agree, side effect of https://bugs.launchpad.net/ubuntu/+source/isc-
dhcp/+bug/727837 "https://bugs.launchpad.net/ubuntu/+source/isc-
dhcp/+bug/727837"
Here is a demo of the bug, and a work around: add user root to the bind
group. attached is the script, here is it being run:
juser@kasp:~$ su
It seems this bug is a symptom of this bug:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/727837
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/341817
Title:
dhcpd wont start due to rndc.ke
After some extensive tinkering, I came up with this solution to the rndc.key
permissions issue:
As the root user (or sudo) do the following:
cp /etc/bind/rndc.key /etc/dhcp3/
chown dhcp:dhcp /etc/dhcp3/rndc.key
chmod 640 /etc/dhcp3/rndc.key
In "/etc/dhcp3/dhcpd.conf" add this line:
include "/etc
I've tested again:
group bind has users: dhcpd
group dhcpd has users: bind
apparmor.d/usr.sbin.named
apparmor.d/usr.sbin.dhcpd3
both have a line:
/etc/bind/** r, -> apparmor allows them to read the file.
/etc/bind is owned by bind:bind, rwxrwx---
/etc/bind/rndc.key is owned by bind:bind, rw-r---
The standard location for rndc.key is, since it belongs to "bind"-Tools:
/etc/bind/rndc.key
It should be sufficient to add this whole directory to both: named and dhcpd in
apparmor.d
BTW: it would be nice if named used /etc/named for its configuration
files! Named and bind-tools are two things o
As Chuck said, this doesn't seem like something that can be fixed safely
for everyone. People can always add the key they want to use to
/etc/apparmor.d/usr.sbin.dhcpd and then reload the profile.
Is there a common practice location that we can consider? I think
rndc.key is probably out of the que
I'm seeing the same thing in 10.04.
The problem is the profile in /etc/apparmor.d/usr.sbin.dhcpd3, which
doesn't allow reading any files in /etc/bind.
Could we have a one-file exception added to this profile, please, to share a
key between bind and dhcpd?
The original poster used rndc.key, but I
i'd like to bump this entry a bit - if nothing else, to understand
better why exactly this doesn't work.
as the user dhcpd runs as (dhcpd), i can read the key file (by way of a
symlink, in my case):
>whoami
dhcpd
>id dhcpd
uid=105(dhcpd) gid=113(dhcpd) groups=113(dhcpd),999(ddns)
>ls -Alh
total
Hi guys, this kindof solves the "bug"
http://www.debianadmin.com/howto-setup-dhcp-server-and-dynamic-dns-with-
bind-in-debian.html#comment-3326
/Misse
--
dhcpd wont start due to rndc.key permissions
https://bugs.launchpad.net/bugs/341817
You received this bug notification because you are a memb
Thanks for the bug report, I dont think there is a fix for this due to
the nature of the beast.
Regards
chuck
** Changed in: dhcp3 (Ubuntu)
Status: New => Triaged
--
dhcpd wont start due to rndc.key permissions
https://bugs.launchpad.net/bugs/341817
You received this bug notification bec
26 matches
Mail list logo
