Page MenuHomeVyOS Platform
Create Task
Maniphest T2432

dhcpd: Can't create new lease file: Permission denied
Closed, ResolvedPublic
Actions

Description

After T2185 dhcpd doesn't have permission to delete old lease files /config/dhcpd.leases~, as they are root:vyattacfg, but dhcpd is now running as nobody:nobody.

May 07 20:54:09 rt-home dhcpd[2829]: Can't create new lease file: Permission denied

Obviously the following is incorrect as the permissions on dhcpd.leases won't allow nobody to write to it. We also need to apply the same permissions to dhcpd.leases~.

# The leases files need to be root:vyattacfg even when dropping privileges
ExecStart=/bin/sh -ec '\
    CONFIG_FILE=/run/dhcp-server/dhcpd.conf; \
    [ -e /config/dhcpd.leases ] || touch /config/dhcpd.leases; \
    chown root:vyattacfg /config/dhcpd.leases; \
    chmod 664 /config/dhcpd.leases; \
    exec /usr/sbin/dhcpd -user nobody -group nogroup -f -4 -pf /run/dhcp-server/dhcpd.pid -cf $CONFIG_FILE -lf /config/dhcpd.leases'

A ownership of vyattacfg:nobody or nobody:vyattacfg or even adding vyattacfg to nobody group would work.

Details

Version
1.3-rolling-202005071726
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

jjakob created this task.May 7 2020, 7:23 PM
jjakob triaged this task as High priority.
jjakob created this object in space S1 VyOS Public.
jjakob added a comment.EditedMay 7 2020, 7:26 PM

Changing this to

chown nobody:vyattacfg /config/dhcpd.leases*; \
chmod 664 /config/dhcpd.leases*; \

(note the *)
has fixed the error with dhcpd. The same needs to be done to dhcpv6.

Though something else chowned the file to nobody:nogroup anyway:

-rw-r--r-- 1 nobody nogroup   16262 May  7 21:24 dhcpd.leases
-rw-rw-r-- 1 nobody vyattacfg 16262 May  7 21:24 dhcpd.leases~
-rw-r--r-- 1 nobody nogroup    1214 May  7 21:29 dhcpdv6.leases
-rw-rw-r-- 1 root   vyattacfg   353 Apr 20 22:06 dhcpdv6.leases~
pasik subscribed.May 8 2020, 9:34 AM
c-po mentioned this in rVYOSONEX903e576f6be0: Merge branch 'dhcpd-permissions-T2432' of https://github.com/jjakob/vyos-1x….May 8 2020, 4:52 PM
jjakob closed this task as Resolved.May 9 2020, 8:40 AM
jjakob claimed this task.
jjakob moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.
Unknown Object (User) reopened this task as Open.Jul 26 2021, 10:08 AM
Unknown Object (User) subscribed.

I think we need to reopen this task. Sometimes (one per hour) some users and I got similar messages on version 1.3-rc4/rc5

vyos@vyos:~$ cat /var/log/messages | grep Perm
Jul 26 06:07:52 vyos dhcpd[1925]: Can't create new lease file: Permission denied
Jul 26 07:08:20 vyos dhcpd[1925]: Can't create new lease file: Permission denied
Jul 26 08:08:59 vyos dhcpd[1925]: Can't create new lease file: Permission denied

Strace output:

sendto(3, "<30>Jul 26 09:08:29 dhcpd[1925]:"..., 91, MSG_NOSIGNAL, NULL, 0) = 91
sendto(8, "\2\1\6\0\370\3226V\0\0\0\0d@\0\2d@\0\2\0\0\0\0\0\0\0\0P\0\0\1"..., 300, 0, {sa_family=AF_INET, sin_port=htons(68), sin_addr=inet_addr("100.64.0.2")}, 16) = 300
recvfrom(8, "\1\1\6\0\370\3226V\0\0\0\0d@\0\2\0\0\0\0\0\0\0\0\0\0\0\0P\0\0\1"..., 1540, 0, {sa_family=AF_INET, sin_port=htons(68), sin_addr=inet_addr("100.64.0.2")}, [16]) = 300
select(9, [5 6 8], [], NULL, {tv_sec=1, tv_usec=707300}) = 0 (Timeout)
select(9, [5 6 8], [], NULL, {tv_sec=0, tv_usec=0}) = 0 (Timeout)
select(9, [5 6 8], [], NULL, {tv_sec=118, tv_usec=994239}) = 2 (in [6 8], left {tv_sec=66, tv_usec=267371})
recvmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="P\0\0\2\0\1P\0\0\1\0\1\10\0E\0\1H\n\221@\0@\21f\221d@\0\2d@"..., iov_len=1536}], msg_iovlen=1, msg_control=[{cmsg_len=36, cmsg_level=SOL_PACKET, cmsg_type=0x8}], msg_controllen=36, msg_flags=0}, 0) = 342
getpid()                                = 1925
sendto(3, "<30>Jul 26 09:09:23 dhcpd[1925]:"..., 98, MSG_NOSIGNAL, NULL, 0) = 98
write(7, "lease 100.64.0.2 {\n  starts 1 20"..., 297) = 297
fsync(7)                                = 0
openat(AT_FDCWD, "/config/dhcpd.leases.1627290563", O_WRONLY|O_CREAT|O_TRUNC, 0664) = -1 EACCES (Permission denied)

So dhcpd trying to move the old lease file to /config/dhcpd.leases.1627290563 but it does not have permission to this directory.

Unknown Object (User) added a project: VyOS 1.4 Sagitta.Jul 29 2021, 10:53 AM
Unknown Object (User) added a comment.Jul 29 2021, 11:01 AM

PR https://github.com/vyos/vyos-1x/pull/945
Also, need to cherry-pick it to Equuleus

Unknown Object (User) changed the task status from Open to In progress.Jul 29 2021, 11:01 AM
Restricted Repository Identity mentioned this in rVYOSONEX417b46fb1106: Merge pull request #945 from DmitriyEshenko/1x-29072021-01.Jul 29 2021, 2:59 PM
Unknown Object (User) mentioned this in rVYOSONEX54abd97845fd: dhcp-server: T2432: Run dhcpd in group vyattacfg to allow recreate lease files.Jul 29 2021, 2:59 PM
dmbaturin added a project: test.Jul 29 2021, 2:59 PM
Unknown Object (User) closed this task as Unknown Status.Aug 3 2021, 8:13 AM
dmbaturin mentioned this in rVYOSONEXe737bac9fc8c: dhcp-server: T2432: Run dhcpd in group vyattacfg to allow recreate lease files.Aug 9 2021, 1:04 PM
Unknown Object (User) changed the task status from Unknown Status to Resolved.Aug 12 2021, 2:35 PM
erkin set Issue type to Bug (incorrect behavior).Aug 30 2021, 6:19 AM
erkin removed a subscriber: Global Notifications.
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0-epa1); removed test, VyOS 1.3 Equuleus.Sep 5 2021, 7:06 AM
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0-epa1) board.Sep 5 2021, 4:08 PM