dhcpd won't start due to rndc.key permission problem

damateem · 07-06-2013, 03:08 PM

I recently performed an upgrade using

Code:

sudo apt-get upgrade

dhcp3 was one of the packages that was upgraded.

After the upgrade, the dhcp server fails to start.

When I try to start the server using

Code:

sudo /etc/init.d/dhcp3-server restart

I get the message

Code:

dhcpd self-test failed. Please fix the config file.
The error was:
Internet Systems Consortium DHCP Server V3.1.3
Copyright 2004-2009 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Can't open /etc/bind/rndc.key: Permission denied

The permissions are as follows.

Code:

ls -l /etc/bind/rndc.key
-rw-r----- 1 bind dhcpd 77 Dec 31  2010 /etc/bind/rndc.key

ls -ld /etc/bind/
drwxr-sr-x 2 root bind 4096 Apr 14 19:57 /etc/bind/

stat /etc/bind/rndc.key
  File: `/etc/bind/rndc.key'
  Size: 77              Blocks: 8          IO Block: 4096   regular file
Device: fb00h/64256d    Inode: 4457660     Links: 1
Access: (0640/-rw-r-----)  Uid: (  104/    bind)   Gid: (  114/   dhcpd)
Access: 2013-07-02 22:57:18.434182007 -0400
Modify: 2010-12-31 12:16:03.411208154 -0500
Change: 2013-07-04 15:01:19.474074762 -0400

I've done some research and tried changing ownership and permissions on rndc.key, but I continue to get the permission error.

At this point, I'm not sure what to try next. Any help would be greatly appreciated.

damateem · 07-07-2013, 12:19 PM

I took a look at /var/log/syslog and the following is being reported each time I try to start the dhcp server.

Code:

Jul  6 23:10:05 server1 dhcpd: Can't open /etc/bind/rndc.key: Permission denied
Jul  6 23:10:05 server1 dhcpd: Internet Systems Consortium DHCP Server V3.1.3
Jul  6 23:10:05 server1 dhcpd: Copyright 2004-2009 Internet Systems Consortium.
Jul  6 23:10:05 server1 dhcpd: All rights reserved.
Jul  6 23:10:05 server1 dhcpd: For info, please visit https://www.isc.org/software/dhcp/
Jul  6 23:10:05 server1 dhcpd: Can't open /etc/bind/rndc.key: Permission denied
Jul  6 23:10:05 server1 kernel: [346373.245946] type=1503 audit(1373166605.397:66):  operation="open" pid=13324 parent=13323 profile="/usr/sbin/dhcpd3" requested_mask="::r" denied_mask="::r" fsuid=105 ouid=104 name="/etc/bind/rndc.key"
Jul  6 23:10:05 server1 kernel: [346373.247447] type=1503 audit(1373166605.397:67):  operation="open" pid=13325 parent=13323 profile="/usr/sbin/dhcpd3" requested_mask="::r" denied_mask="::r" fsuid=105 ouid=104 name="/etc/bind/rndc.key"

Where, the IDs are

Code:

104 = bind
105 = dhcpd

What is this message trying to tell me?

Code:

Jul  6 23:10:05 server1 kernel: [346373.245946] type=1503 audit(1373166605.397:66):  operation="open" pid=13324 parent=13323 profile="/usr/sbin/dhcpd3" requested_mask="::r" denied_mask="::r" fsuid=105 ouid=104 name="/etc/bind/rndc.key"

What is the meaning of "fsuid" and "ouid"?

What does 'requested_mask="::r"' mean?

Is this error message coming from AppArmor?

rjmx · 06-18-2023, 09:33 PM

https://ubuntuforums.org/showthread.php?t=1198162

Specifically,

- add to /etc/apparmor.d/local/usr.sbin.dhcpd:
/etc/bind/ rw,
/etc/bind/** rw,

- set /etc/bind/rndc.key to root:bind, 0640