[jaunty] no internet connection: dhclient-script cannot be execve'd

Bug #332521 reported by Matteo Settenvini on 2009-02-21
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
dhcp3 (Ubuntu)
Undecided
Jamie Strandboge

Bug Description

Description: Ubuntu jaunty (development branch)
Release: 9.04
Linux Dahlia 2.6.27-1-powerpc64-smp #1 SMP Fri Nov 7 02:34:19 UTC 2008 ppc64 GNU/Linux

After today updates, I find myself unable to have dhcp working (thus, also networkmanager doesn't work).

If I run manually "dchlient eth1", I get:

root@Dahlia:/var/cache/apt/archives# dhclient eth1
There is already a pid file /var/run/dhclient.pid with pid 9119
killed old client process, removed PID file
Internet Systems Consortium DHCP Client V3.1.1
Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/

execve (/sbin/dhclient-script, ...): Permission denied
Listening on LPF/eth1/00:11:24:70:fe:6e
Sending on LPF/eth1/00:11:24:70:fe:6e
Sending on Socket/fallback
DHCPREQUEST of 192.168.1.215 on eth1 to 255.255.255.255 port 67
DHCPACK of 192.168.1.215 from 192.168.1.1
execve (/sbin/dhclient-script, ...): Permission denied
bound to 192.168.1.215 -- renewal in 9772 seconds.

So, I tried running manually dhclient-script as root:

root@Dahlia:~# /sbin/dhclient-script
bash: /sbin/dhclient-script: /bin/bash: bad interpreter: Permission denied

However:

root@Dahlia:~# ls -l /sbin/dhclient-script
-rwxr-xr-x 1 root root 8714 2009-02-19 18:50 /sbin/dhclient-script

and:

root@Dahlia:~# head -n 1 /sbin/dhclient-script
#!/bin/bash
root@Dahlia:~# ls -l /bin/bash
-rwxr-xr-x 1 root root 842096 2008-05-12 20:49 /bin/bash

WTF is going on???

Matteo Settenvini (tchernobog) wrote :

My dmesg shows up the problem: dhclient-script profile doesn't allow for accessing some files.

Jamie Strandboge (jdstrand) wrote :

I cannot reproduce this. /sbin/dhclient and /sbin/dhclient-script work just fine under apparmor. What version of dhcp3-client do you have? Can you post your /etc/apparmor.d/sbin.dhclient file as well as the output of 'sudo aa-status'?

Changed in dhcp3:
assignee: nobody → jdstrand
status: New → Incomplete
Matteo Settenvini (tchernobog) wrote :

dpkg -l dhcp3-client
dhcp3-client 3.1.1-5ubuntu5 DHCP client

matteo@Dahlia:~$ sudo aa-status
[sudo] password for matteo:
apparmor module is loaded.
8 profiles are loaded.
8 profiles are in enforce mode.
   /usr/share/gdm/guest-session/Xsession
   /usr/sbin/tcpdump
   /usr/lib/cups/backend/cups-pdf
   /usr/sbin/mysqld
   /sbin/dhclient3
   /usr/sbin/cupsd
   /sbin/dhclient-script
   /usr/lib/NetworkManager/nm-dhcp-client.action
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode :
   /usr/sbin/cupsd (4598)
   /usr/sbin/mysqld (4483)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Changed in dhcp3:
status: Incomplete → New
Matteo Settenvini (tchernobog) wrote :

root@Dahlia:/home/matteo# strace dhclient-script
execve("/sbin/dhclient-script", ["dhclient-script"], [/* 25 vars */]) = -1 EACCES (Permission denied)
dup(2) = 3
fcntl64(3, F_GETFL) = 0x2 (flags O_RDWR)
fstat64(3, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xf7ffb000
_llseek(3, 0, 0xff8af298, SEEK_CUR) = -1 ESPIPE (Illegal seek)
write(3, "strace: exec: Permission denied\n"..., 32strace: exec: Permission denied
) = 32
close(3) = 0
munmap(0xf7ffb000, 4096) = 0
exit_group(1)

Jamie Strandboge (jdstrand) wrote :

Can you list the contents of the /etc/apparmor.d directory?

Changed in dhcp3:
status: New → Incomplete
Matteo Settenvini (tchernobog) wrote :

Now version 3.1.1-5ubuntu6 is installed. Same problem.

matteo@Dahlia:~$ ls -R /etc/apparmor.d
/etc/apparmor.d:
abstractions gdm-guest-session usr.sbin.cupsd
disable sbin.dhclient3 usr.sbin.mysqld
force-complain tunables usr.sbin.tcpdump

/etc/apparmor.d/abstractions:
aspell freedesktop.org nis ssl_certs web-data
audio gnome nvidia ssl_keys winbind
authentication gnupg orbit2 svn-repositories wutmp
base kde perl user-download X
bash kerberosclient php5 user-mail xad
consoles likewise python user-manpages
cups-client mdns ruby user-tmp
dbus mysql samba user-write
fonts nameservice smbpass video

/etc/apparmor.d/disable:

/etc/apparmor.d/force-complain:

/etc/apparmor.d/tunables:
global home ntpd proc

Changed in dhcp3:
status: Incomplete → New
Matteo Settenvini (tchernobog) wrote :

Seems to have been recently fixed in Jaunty PPC. Don't know exactly with which package, but now it works.

Changed in dhcp3:
status: New → Fix Released
Jamie Strandboge (jdstrand) wrote :

That is excellent news. I thought it might be PPC specific as well, and just got my hands on a PPC machine to test it out. Thanks for your feedback.

Alejandro Bonilla (petarro) wrote :

Im having this issue with Jaunty with the eeepc kernel. I opened bug 343898. Please fix! :)

abrahamcovelo (abraham-covelo) wrote :

I have solved the problem in eeepc with Jaunty. And I think is the same problem found with other PCs. Specific permissions per program in /etc/apparmor.d/sbin.dhclient3 prevent dhcp3 to be execve'd. As a workaround I move this file out and restarted apparmor (so far I have info about the syntax of this configuration file to solve the issue properly):

/etc/init.d/apparmor restart

The problem is fixed now

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers