dhclient silently ignores unreadable config-file

Bug #537851 reported by Mike C. Fletcher
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dhcp3 (Ubuntu)
Confirmed
Low
Unassigned

Bug Description

When running dhclient against a config-file that happens not to be whitelisted by app-armour, dhclient will silently ignore the failure and continue with the default config-file in /etc/dhcp3/dhclient.conf rather than error out. dhclient should (at least) report an error/warning on stdout, and should likely exit with a non-zero error code when an explicitly-passed config-file is not readable. That is, if the user has *explicitly* specified a config on the command-line, no config other than that config should be used.

To reproduce/test, create a dhclient.conf file anywhere that isn't readable/writable by the app-armour profile (such as ~/) with a non-standard option specified (one that is not in your /etc/dhcp3/dhclient.conf):

   send vendor-class-identifier "myvendorname";

and attempt to run:

   $ sudo dhclient -cf ~/dhclient.conf -lf /var/lib/dhcp3/test.leases eth0

while running wireshark for eth0. dhclient will silently ignore the failure to load ~/dhclient.conf and will instead use /etc/dhcp3/dhclient.conf (you can see this in your wireshark dump, as vendor-class-identifier will not be sent). Move the same file to /etc/dhcp3/dhclient-test.conf and run again and you should see the option being sent.

Description: Ubuntu 9.10
Release: 9.10

Package: dhcp3-client
State: installed
Automatically installed: no
Version: 3.1.2-1ubuntu7.1

Revision history for this message
Chuck Short (zulcss) wrote :

Can you run a strace with the command and please attach the output?

Thanks
chuck

Changed in dhcp3 (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
Revision history for this message
Chuck Short (zulcss) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to "New". Thanks again!

Changed in dhcp3 (Ubuntu):
status: Incomplete → Invalid
Changed in dhcp3 (Ubuntu):
status: Invalid → Confirmed
Revision history for this message
Jean-Pierre van Riel (jpvr) wrote :

I can confirm this issue. I have reproduced the problem and used strace. I've also found the app-armour log entry. The app-armour disallowing the -cf <new location> is presumably intentional. The bug is that dhclient3 does not warn the user or log an error when it's unable to open the file parsed to -cf.

In trace-cust-dhcpclient.log:

  open("/home/<user>/Scripts/reroute/dhclient-cust-sbsa.conf", O_RDONLY) = -1 EACCES (Permission denied)

In kern.log

  Nov 7 17:09:18 <hostname> kernel: [20777.329386] type=1400 audit(1320678558.977:25): apparmor="DENIED" operation="open" parent=8316 profile="/sbin/dhclient3" name="/home/<user>/Scripts/reroute/dhclient-cust-sbsa.conf" pid=8317 comm="dhclient" requested_mask="r" denied_mask="r" fsuid=0 ouid=1000

The trace was produced as follows: sudo strace -e trace=file dhclient -e IF_METRIC=0 -cf /home/enigma/Scripts/reroute/dhclient-cust-sbsa.conf usb0 &> trace-cust-dhcpclient.log

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.