Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1029024: isc-dhcp-server: apparmor blocks reading files outside /etc/dhcpd
336 views
Skip to first unread message
Simone Piccardi
Jan 16, 2023, 12:40:03 PM1/16/23
to
Package: isc-dhcp-server
Version: 4.4.3-P1-1.1
Severity: normal
Dear Maintainer,
After upgrading from version 4.4.3-P1-1 to 4.4.3-P1-1.1 the added
apparmor configurations block the include of files outside /etc/dhcp/,
like DDNS TSIG keys definition that are usually installed under
/etc/bind.
I can understand avoiding to read files everywhere, but the use of
TSIG keys defined by bind with is quite a common usage, that stop
working with misleading permission denied error for readable files.
This break previously working configurations, whitout a note in
the changelog.
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.0.0-6-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages isc-dhcp-server depends on:
ii debconf [debconf-2.0] 1.5.80
ii debianutils 5.7-0.4
ii libc6 2.36-7
ii lsb-base 11.5
ii sysvinit-utils [lsb-base] 3.06-2
Versions of packages isc-dhcp-server recommends:
ii isc-dhcp-common 4.4.3-P1-1.1
ii policycoreutils 3.4-1
Versions of packages isc-dhcp-server suggests:
ii ieee-data 20220827.1
pn isc-dhcp-server-ldap <none>
pn policykit-1 <none>
-- Configuration Files:
/etc/dhcp/dhcpd.conf changed:
authoritative;
ddns-update-style standard;
option local-pac-server code 252 = text;
option local-pac-server "http://proxy.institute.lan:80/wpad.dat";
allow booting;
include "/etc/bind/bookworm.institute.lan.key";
zone institute.lan. {
primary 127.0.0.1;
key bookworm.institute.lan;
}
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.100 ;
option domain-name-servers 192.168.1.1;
option domain-name "institute.lan";
option routers 192.168.1.1;
option ntp-servers 192.168.1.1;
default-lease-time 86400;
max-lease-time 172800;
next-server 192.168.1.1;
}
zone 1.168.192.in-addr.arpa. {
primary 127.0.0.1;
key bookworm.institute.lan;
}
option architecture-type code 93 = unsigned integer 16;
class "pxeclients" {
match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
if option architecture-type = 00:00 {
filename "/pxelinux.0";
} elsif option architecture-type = 00:09 {
filename "/efi/syslinux.efi";
} elsif option architecture-type = 00:07 {
filename "/efi/syslinux.efi";
} elsif option architecture-type = 00:06 {
filename "/efi/syslinux.efi";
}
}
include "/etc/fuss-server/dhcp-reservations";
include "/etc/dhcp/dhcpd-added.conf";
-- debconf information:
isc-dhcp-server/interfaces:
Version: 4.4.3-P1-1.1
Severity: normal
Dear Maintainer,
After upgrading from version 4.4.3-P1-1 to 4.4.3-P1-1.1 the added
apparmor configurations block the include of files outside /etc/dhcp/,
like DDNS TSIG keys definition that are usually installed under
/etc/bind.
I can understand avoiding to read files everywhere, but the use of
TSIG keys defined by bind with is quite a common usage, that stop
working with misleading permission denied error for readable files.
This break previously working configurations, whitout a note in
the changelog.
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.0.0-6-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages isc-dhcp-server depends on:
ii debconf [debconf-2.0] 1.5.80
ii debianutils 5.7-0.4
ii libc6 2.36-7
ii lsb-base 11.5
ii sysvinit-utils [lsb-base] 3.06-2
Versions of packages isc-dhcp-server recommends:
ii isc-dhcp-common 4.4.3-P1-1.1
ii policycoreutils 3.4-1
Versions of packages isc-dhcp-server suggests:
ii ieee-data 20220827.1
pn isc-dhcp-server-ldap <none>
pn policykit-1 <none>
-- Configuration Files:
/etc/dhcp/dhcpd.conf changed:
authoritative;
ddns-update-style standard;
option local-pac-server code 252 = text;
option local-pac-server "http://proxy.institute.lan:80/wpad.dat";
allow booting;
include "/etc/bind/bookworm.institute.lan.key";
zone institute.lan. {
primary 127.0.0.1;
key bookworm.institute.lan;
}
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.100 ;
option domain-name-servers 192.168.1.1;
option domain-name "institute.lan";
option routers 192.168.1.1;
option ntp-servers 192.168.1.1;
default-lease-time 86400;
max-lease-time 172800;
next-server 192.168.1.1;
}
zone 1.168.192.in-addr.arpa. {
primary 127.0.0.1;
key bookworm.institute.lan;
}
option architecture-type code 93 = unsigned integer 16;
class "pxeclients" {
match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
if option architecture-type = 00:00 {
filename "/pxelinux.0";
} elsif option architecture-type = 00:09 {
filename "/efi/syslinux.efi";
} elsif option architecture-type = 00:07 {
filename "/efi/syslinux.efi";
} elsif option architecture-type = 00:06 {
filename "/efi/syslinux.efi";
}
}
include "/etc/fuss-server/dhcp-reservations";
include "/etc/dhcp/dhcpd-added.conf";
-- debconf information:
isc-dhcp-server/interfaces:
Santiago Ruano Rincón
Jan 17, 2023, 6:30:04 AM1/17/23
to
Hi,
El 16/01/23 a las 18:29, Simone Piccardi escribió:
# access to bind9 keys for dynamic update
# It's expected that users will generate one key per zone and have it
# stored in both /etc/bind9 (for bind to access) and /etc/dhcp/ddns-keys
# (for dhcpd to access).
/etc/dhcp/ddns-keys/** r,
See also https://wiki.debian.org/DDNS
> I can understand avoiding to read files everywhere, but the use of
> TSIG keys defined by bind with is quite a common usage, that stop
> working with misleading permission denied error for readable files.
>
> This break previously working configurations, whitout a note in
> the changelog.
>
Indeed, unfortunately the NMU is missing a changelog update.
Cheers,
-- Santiago
El 16/01/23 a las 18:29, Simone Piccardi escribió:
> Package: isc-dhcp-server
> Version: 4.4.3-P1-1.1
> Severity: normal
>
> Dear Maintainer,
>
>
> After upgrading from version 4.4.3-P1-1 to 4.4.3-P1-1.1 the added
> apparmor configurations block the include of files outside /etc/dhcp/,
> like DDNS TSIG keys definition that are usually installed under
> /etc/bind.
As commented in usr.sbin.dhcpd:
> Version: 4.4.3-P1-1.1
> Severity: normal
>
> Dear Maintainer,
>
>
> After upgrading from version 4.4.3-P1-1 to 4.4.3-P1-1.1 the added
> apparmor configurations block the include of files outside /etc/dhcp/,
> like DDNS TSIG keys definition that are usually installed under
> /etc/bind.
# access to bind9 keys for dynamic update
# It's expected that users will generate one key per zone and have it
# stored in both /etc/bind9 (for bind to access) and /etc/dhcp/ddns-keys
# (for dhcpd to access).
/etc/dhcp/ddns-keys/** r,
See also https://wiki.debian.org/DDNS
> I can understand avoiding to read files everywhere, but the use of
> TSIG keys defined by bind with is quite a common usage, that stop
> working with misleading permission denied error for readable files.
>
> This break previously working configurations, whitout a note in
> the changelog.
>
Cheers,
-- Santiago
0 new messages