Page MenuHomeVyOS Platform

dhcpd: Can't create new lease file: Permission denied
Closed, ResolvedPublic

Description

After T2185 dhcpd doesn't have permission to delete old lease files /config/dhcpd.leases~, as they are root:vyattacfg, but dhcpd is now running as nobody:nobody.

May 07 20:54:09 rt-home dhcpd[2829]: Can't create new lease file: Permission denied

Obviously the following is incorrect as the permissions on dhcpd.leases won't allow nobody to write to it. We also need to apply the same permissions to dhcpd.leases~.

# The leases files need to be root:vyattacfg even when dropping privileges
ExecStart=/bin/sh -ec '\
    CONFIG_FILE=/run/dhcp-server/dhcpd.conf; \
    [ -e /config/dhcpd.leases ] || touch /config/dhcpd.leases; \
    chown root:vyattacfg /config/dhcpd.leases; \
    chmod 664 /config/dhcpd.leases; \
    exec /usr/sbin/dhcpd -user nobody -group nogroup -f -4 -pf /run/dhcp-server/dhcpd.pid -cf $CONFIG_FILE -lf /config/dhcpd.leases'

A ownership of vyattacfg:nobody or nobody:vyattacfg or even adding vyattacfg to nobody group would work.

Details

Difficulty level
Unknown (require assessment)
Version
1.3-rolling-202005071726
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

jjakob triaged this task as High priority.May 7 2020, 7:23 PM
jjakob created this task.
jjakob created this object in space S1 VyOS Public.

Changing this to

chown nobody:vyattacfg /config/dhcpd.leases*; \
chmod 664 /config/dhcpd.leases*; \

(note the *)
has fixed the error with dhcpd. The same needs to be done to dhcpv6.

Though something else chowned the file to nobody:nogroup anyway:

-rw-r--r-- 1 nobody nogroup   16262 May  7 21:24 dhcpd.leases
-rw-rw-r-- 1 nobody vyattacfg 16262 May  7 21:24 dhcpd.leases~
-rw-r--r-- 1 nobody nogroup    1214 May  7 21:29 dhcpdv6.leases
-rw-rw-r-- 1 root   vyattacfg   353 Apr 20 22:06 dhcpdv6.leases~
jjakob claimed this task.
jjakob moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.
Dmitry added a subscriber: Dmitry.

I think we need to reopen this task. Sometimes (one per hour) some users and I got similar messages on version 1.3-rc4/rc5

vyos@vyos:~$ cat /var/log/messages | grep Perm
Jul 26 06:07:52 vyos dhcpd[1925]: Can't create new lease file: Permission denied
Jul 26 07:08:20 vyos dhcpd[1925]: Can't create new lease file: Permission denied
Jul 26 08:08:59 vyos dhcpd[1925]: Can't create new lease file: Permission denied

Strace output:

sendto(3, "<30>Jul 26 09:08:29 dhcpd[1925]:"..., 91, MSG_NOSIGNAL, NULL, 0) = 91
sendto(8, "\2\1\6\0\370\3226V\0\0\0\0d@\0\2d@\0\2\0\0\0\0\0\0\0\0P\0\0\1"..., 300, 0, {sa_family=AF_INET, sin_port=htons(68), sin_addr=inet_addr("100.64.0.2")}, 16) = 300
recvfrom(8, "\1\1\6\0\370\3226V\0\0\0\0d@\0\2\0\0\0\0\0\0\0\0\0\0\0\0P\0\0\1"..., 1540, 0, {sa_family=AF_INET, sin_port=htons(68), sin_addr=inet_addr("100.64.0.2")}, [16]) = 300
select(9, [5 6 8], [], NULL, {tv_sec=1, tv_usec=707300}) = 0 (Timeout)
select(9, [5 6 8], [], NULL, {tv_sec=0, tv_usec=0}) = 0 (Timeout)
select(9, [5 6 8], [], NULL, {tv_sec=118, tv_usec=994239}) = 2 (in [6 8], left {tv_sec=66, tv_usec=267371})
recvmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="P\0\0\2\0\1P\0\0\1\0\1\10\0E\0\1H\n\221@\0@\21f\221d@\0\2d@"..., iov_len=1536}], msg_iovlen=1, msg_control=[{cmsg_len=36, cmsg_level=SOL_PACKET, cmsg_type=0x8}], msg_controllen=36, msg_flags=0}, 0) = 342
getpid()                                = 1925
sendto(3, "<30>Jul 26 09:09:23 dhcpd[1925]:"..., 98, MSG_NOSIGNAL, NULL, 0) = 98
write(7, "lease 100.64.0.2 {\n  starts 1 20"..., 297) = 297
fsync(7)                                = 0
openat(AT_FDCWD, "/config/dhcpd.leases.1627290563", O_WRONLY|O_CREAT|O_TRUNC, 0664) = -1 EACCES (Permission denied)

So dhcpd trying to move the old lease file to /config/dhcpd.leases.1627290563 but it does not have permission to this directory.

Dmitry changed the task status from Open to In progress.Jul 29 2021, 11:01 AM
Dmitry changed the task status from In progress to Backport pending.Aug 3 2021, 8:13 AM
erkin set Issue type to Bug (incorrect behavior).Aug 30 2021, 6:19 AM
erkin removed a subscriber: Active contributors.