[Bug 341817] Re: dhcpd wont start due to rndc.key permissions
** Package changed: dhcp3 (Ubuntu) = isc-dhcp (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dhcp3 in Ubuntu. https://bugs.launchpad.net/bugs/341817 Title: dhcpd wont start due to rndc.key permissions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/341817/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 341817] Re: dhcpd wont start due to rndc.key permissions
I agree, side effect of https://bugs.launchpad.net/ubuntu/+source/isc- dhcp/+bug/727837 https://bugs.launchpad.net/ubuntu/+source/isc- dhcp/+bug/727837 Here is a demo of the bug, and a work around: add user root to the bind group. attached is the script, here is it being run: juser@kasp:~$ sudo ./ddns.sh [sudo] password for juser: + apt-get --assume-yes install dhcp3-server bind9 Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: bind9utils isc-dhcp-server Suggested packages: bind9-doc resolvconf isc-dhcp-server-ldap The following NEW packages will be installed: bind9 bind9utils dhcp3-server isc-dhcp-server 0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded. Need to get 866 kB of archives. After this operation, 2,568 kB of additional disk space will be used. Get:1 http://us.archive.ubuntu.com/ubuntu/ oneiric/main bind9utils amd64 1:9.7.3.dfsg-1ubuntu4 [104 kB] Get:2 http://us.archive.ubuntu.com/ubuntu/ oneiric/main bind9 amd64 1:9.7.3.dfsg-1ubuntu4 [331 kB] Get:3 http://us.archive.ubuntu.com/ubuntu/ oneiric/main isc-dhcp-server amd64 4.1.1-P1-17ubuntu10 [427 kB] Get:4 http://us.archive.ubuntu.com/ubuntu/ oneiric/main dhcp3-server all 4.1.1-P1-17ubuntu10 [3,296 B] Fetched 866 kB in 1s (737 kB/s) Preconfiguring packages ... Selecting previously deselected package bind9utils. (Reading database ... 94476 files and directories currently installed.) Unpacking bind9utils (from .../bind9utils_1%3a9.7.3.dfsg-1ubuntu4_amd64.deb) ... Selecting previously deselected package bind9. Unpacking bind9 (from .../bind9_1%3a9.7.3.dfsg-1ubuntu4_amd64.deb) ... Selecting previously deselected package isc-dhcp-server. Unpacking isc-dhcp-server (from .../isc-dhcp-server_4.1.1-P1-17ubuntu10_amd64.deb) ... Selecting previously deselected package dhcp3-server. Unpacking dhcp3-server (from .../dhcp3-server_4.1.1-P1-17ubuntu10_all.deb) ... Processing triggers for man-db ... Processing triggers for ufw ... Processing triggers for ureadahead ... ureadahead will be reprofiled on next reboot Setting up bind9utils (1:9.7.3.dfsg-1ubuntu4) ... Setting up bind9 (1:9.7.3.dfsg-1ubuntu4) ... Adding group `bind' (GID 113) ... Done. Adding system user `bind' (UID 107) ... Adding new user `bind' (UID 107) with group `bind' ... Not creating home directory `/var/cache/bind'. wrote key file /etc/bind/rndc.key # * Starting domain name service... bind9 [ OK ] Setting up isc-dhcp-server (4.1.1-P1-17ubuntu10) ... Generating /etc/default/isc-dhcp-server... * Starting ISC DHCP server dhcpd * check syslog for diagnostics. [fail] invoke-rc.d: initscript isc-dhcp-server, action start failed. Setting up dhcp3-server (4.1.1-P1-17ubuntu10) ... + adduser dhcpd bind Adding user `dhcpd' to group `bind' ... Adding user dhcpd to group bind Done. + cat + cat + service apparmor restart * Reloading AppArmor profiles [ OK ] + sudo service isc-dhcp-server start dhcpd self-test failed. Please fix the config file. The error was: Internet Systems Consortium DHCP Server 4.1.1-P1 Copyright 2004-2010 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Can't open /etc/bind/rndc.key: Permission denied workaround I like best: juser@kasp:~$ sudo adduser root bind Adding user `root' to group `bind' ... Adding user root to group bind Done. juser@kasp:~$ sudo service isc-dhcp-server start * Starting ISC DHCP server dhcpd[ OK ] ** Attachment added: ddns.sh https://bugs.launchpad.net/ubuntu/+source/dhcp3/+bug/341817/+attachment/2592148/+files/ddns.sh -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dhcp3 in Ubuntu. https://bugs.launchpad.net/bugs/341817 Title: dhcpd wont start due to rndc.key permissions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dhcp3/+bug/341817/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 341817] Re: dhcpd wont start due to rndc.key permissions
It seems this bug is a symptom of this bug: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/727837 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dhcp3 in Ubuntu. https://bugs.launchpad.net/bugs/341817 Title: dhcpd wont start due to rndc.key permissions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 341817] Re: dhcpd wont start due to rndc.key permissions
After some extensive tinkering, I came up with this solution to the rndc.key
permissions issue:
As the root user (or sudo) do the following:
cp /etc/bind/rndc.key /etc/dhcp3/
chown dhcp:dhcp /etc/dhcp3/rndc.key
chmod 640 /etc/dhcp3/rndc.key
In /etc/dhcp3/dhcpd.conf add this line:
include /etc/dhcp3/rndc.key;
chown root:bind /etc/bind/rndc.key
chmod 640 /etc/bind/rndc.key
In /etc/bind/named.conf add this line to the top of the file:
include /etc/bind/rndc.key;
In /etc/bind/named.conf add this line to the bottom of the file:
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { rndc-key; };
};
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to dhcp3 in Ubuntu.
https://bugs.launchpad.net/bugs/341817
Title:
dhcpd wont start due to rndc.key permissions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 341817] Re: dhcpd wont start due to rndc.key permissions
The standard location for rndc.key is, since it belongs to bind-Tools: /etc/bind/rndc.key It should be sufficient to add this whole directory to both: named and dhcpd in apparmor.d BTW: it would be nice if named used /etc/named for its configuration files! Named and bind-tools are two things one shall not mix up! -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dhcp3 in ubuntu. https://bugs.launchpad.net/bugs/341817 Title: dhcpd wont start due to rndc.key permissions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 341817] Re: dhcpd wont start due to rndc.key permissions
I've tested again: group bind has users: dhcpd group dhcpd has users: bind apparmor.d/usr.sbin.named apparmor.d/usr.sbin.dhcpd3 both have a line: /etc/bind/** r, - apparmor allows them to read the file. /etc/bind is owned by bind:bind, rwxrwx--- /etc/bind/rndc.key is owned by bind:bind, rw-r- - named fails to read the file, dhcpd fails to read the file /etc/bind/rndc.key is owned by bind:bind, rw-r--r-- - (bad idea but: named can read the file, dhcpd can read the file). I'd say: at the point in time named, dhcpd try to read the file they are running user bind (named), user dhcpd (dhcpd3) but not the required group! Or: named and dhcpd try to open the file rw, failing because only reading is allowed. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dhcp3 in ubuntu. https://bugs.launchpad.net/bugs/341817 Title: dhcpd wont start due to rndc.key permissions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 341817] Re: dhcpd wont start due to rndc.key permissions
I'm seeing the same thing in 10.04. The problem is the profile in /etc/apparmor.d/usr.sbin.dhcpd3, which doesn't allow reading any files in /etc/bind. Could we have a one-file exception added to this profile, please, to share a key between bind and dhcpd? The original poster used rndc.key, but I prefer that every use of a key use a unique key, so I think a name such as ddns-key-1.key or (what I use) dhcp.key would be preferable. -- dhcpd wont start due to rndc.key permissions https://bugs.launchpad.net/bugs/341817 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dhcp3 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 341817] Re: dhcpd wont start due to rndc.key permissions
As Chuck said, this doesn't seem like something that can be fixed safely for everyone. People can always add the key they want to use to /etc/apparmor.d/usr.sbin.dhcpd and then reload the profile. Is there a common practice location that we can consider? I think rndc.key is probably out of the question, but does the official upstream or Ubuntu documentation give a standard location? We could consider adding it to the AppArmor profile then. -- dhcpd wont start due to rndc.key permissions https://bugs.launchpad.net/bugs/341817 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dhcp3 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 341817] Re: dhcpd wont start due to rndc.key permissions
i'd like to bump this entry a bit - if nothing else, to understand
better why exactly this doesn't work.
as the user dhcpd runs as (dhcpd), i can read the key file (by way of a
symlink, in my case):
whoami
dhcpd
id dhcpd
uid=105(dhcpd) gid=113(dhcpd) groups=113(dhcpd),999(ddns)
ls -Alh
total 20K
lrwxrwxrwx 1 root root29 2010-03-07 16:12 ddns-key-1.key -
/etc/bind/keys/ddns-key-1.key
-rw-r- 1 root dhcpd 148 2009-12-01 20:14 ddns-key-1.key.old
drwxr-xr-x 2 root root 4.0K 2010-02-15 20:29 dhclient-enter-hooks.d
drwxr-xr-x 2 root root 4.0K 2009-12-16 12:17 dhclient-exit-hooks.d
-rw-r- 1 root dhcpd 4.1K 2009-12-01 20:17 dhcpd.conf
ls -alh /etc/bind/keys/ddns-key-1.key
-rw-r- 1 root ddns 148 2009-12-01 15:24 /etc/bind/keys/ddns-key-1.key
cat ddns-key-1.key
key ddns-key-1 {
algorithm hmac-md5;
secret xx;
};
yet (as in the initial report) when started via it's init script,
/usr/sbin/dhcpd can not:
/etc/init.d/dhcp3-server start
dhcpd self-test failed. Please fix the config file.
The error was:
Internet Systems Consortium DHCP Server V3.1.2
Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Can't open /etc/dhcp3/ddns-key-1.key: Permission denied
why doesn't this work? what is different when dhcpd is started via it's
init script and privs are dropped to the user named dhcpd? i've
adjusted the apparmor settings for dhcpd, and there are no audit entries
for apparmor being logged - what is preventing this file from being
read?
--
dhcpd wont start due to rndc.key permissions
https://bugs.launchpad.net/bugs/341817
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to dhcp3 in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 341817] Re: dhcpd wont start due to rndc.key permissions
Hi guys, this kindof solves the bug http://www.debianadmin.com/howto-setup-dhcp-server-and-dynamic-dns-with- bind-in-debian.html#comment-3326 /Misse -- dhcpd wont start due to rndc.key permissions https://bugs.launchpad.net/bugs/341817 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dhcp3 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 341817] Re: dhcpd wont start due to rndc.key permissions
Thanks for the bug report, I dont think there is a fix for this due to the nature of the beast. Regards chuck ** Changed in: dhcp3 (Ubuntu) Status: New = Triaged -- dhcpd wont start due to rndc.key permissions https://bugs.launchpad.net/bugs/341817 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dhcp3 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
