isc-dhcp-server: Can't create PID file /run/dhcp-server/ Permission denied

Bug #1448657 reported by Ralf G. R. Bergs on 2015-04-26
This bug affects 32 people
Affects Status Importance Assigned to Milestone
isc-dhcp (Ubuntu)

Bug Description

Just upgraded from 14-10 to 15-04, and now see the following in syslog:

Apr 26 10:50:08 server kernel: [70470.960718] audit: type=1400 audit(1430045408.725:8): apparmor="DENIED" operation="capable" profile="/usr/sbin/dhcpd" pid=8619 comm="dhcpd" capability=1 capname="dac_ove
Apr 26 10:50:08 server sh[8619]: Can't create PID file /run/dhcp-server/ Permission denied.

Description: Ubuntu 15.04
Release: 15.04

  Installed: 4.3.1-5ubuntu2

----------- 8x -----------------

# cat /etc/default/isc-dhcp-server

# Defaults for isc-dhcp-server initscript
# sourced by /etc/init.d/isc-dhcp-server
# installed at /etc/default/isc-dhcp-server by the maintainer scripts

# This is a POSIX shell fragment

# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).

# Path to dhcpd's PID file (default: /var/run/

# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead

# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".

----------- 8x -----------------

# ls -la /var/run
lrwxrwxrwx 1 root root 4 Oct 24 2013 /var/run -> /run

# ls -la /run/dhcp-server/
total 0
drwxr-xr-x 2 dhcpd dhcpd 40 Apr 26 10:59 .
drwxr-xr-x 34 root root 1060 Apr 26 11:33 ..

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in isc-dhcp (Ubuntu):
status: New → Confirmed

I don't think it was correct to mark this as a duplicate of #985417. That bug affected Precise and Quantal and was fixed back in 2012. This bug is currently affecting users of Utopic in 2015.


tags: added: vivid
Changed in isc-dhcp (Ubuntu):
importance: Undecided → Medium

Still occurs in Wily.

tags: added: wily
Stephen Pape (srpape) wrote :

It looks like the line in /lib/systemd/system/isc-dhcp-server.service:

    exec dhcpd -user dhcpd -group dhcpd -f -4 -pf /run/dhcp-server/ -cf $CONFIG_FILE $INTERFACES'

 is hardcoded and ignores the DHCPD_PID variable from /etc/default/isc-dhcp-server.

  I think it should be:

    exec dhcpd -user dhcpd -group dhcpd -f -4 -pf $DHCPD_PID -cf $CONFIG_FILE $INTERFACES'

Then there are other issues with the file, like it always tries to run:

    ExecStartPre=/bin/chown dhcpd:dhcpd /run/dhcp-server

regardless of the specified path. Also, if you don't set the variable in /etc/default/isc-dhcp-server, no default is given and the service fails to start.

Stephen Pape (srpape) wrote :

Even after fixing the above problem, AppArmor seems to prevent a PID file from being written. I'm not very familiar with it, but I added:

capability dac_override,

to /etc/apparmor.d/usr.sbin.dhcpd near the other capabilities, restarted the service, and now I have a PID file.

Honsan (honoratosantos-ti) wrote :

I'm newbie on linux and I had this problem too. I think I solved it that way:

here's the contents of a working isc-dhcp-server.service

Jason Hunter (jhunterwu) wrote :

I don't understand how this bug can just stand open? It's not even assigned? I'm even seeing this in 15.10. Why are things like this not being fixed? If Rahaels file is working, then why isn't it included when I apt upgrade?

Simon Arlott ( wrote :

The directory /run/dhcp-server is already owned by dhcpd:dhcpd, but dhcpd is writing to it as root which requires CAP_DAC_OVERRIDE. The directory needs to be owned by root:root if dhcpd is going to write the PID file as root.

Jason Penney (jpenney+ubuntu) wrote :

This also affects isc-dhcp-server6 in the same way. It's service file would also need to be updated similarly.

Wladimir Mutel (mwg) wrote :

Why not fix this bug in Ubuntu Bionic where it still happens ?

Nicorac (nicorac) wrote :

Ubuntu 18.04 here, no apparmor.

Directory /run is on tempfs, so it is empty at start.
I suppose PID file /run/dhcp-server/ can't be created because directory /run/dhcp-server is missing at startup and I haven't found where it will be created.

I've fixed systemd unit "/lib/systemd/system/isc-dhcp-server.service" by creating the needed "/run/dhcp-server" folder before starting dhcpd:
Description=ISC DHCP IPv4 server

# The leases files need to be root:dhcpd even when dropping privileges
ExecStartPre=/bin/mkdir -p /run/dhcp-server
ExecStart=/bin/sh -ec '\
    CONFIG_FILE=/etc/dhcp/dhcpd.conf; \
    if [ -f /etc/ltsp/dhcpd.conf ]; then CONFIG_FILE=/etc/ltsp/dhcpd.conf; fi; \
    [ -e /var/lib/dhcp/dhcpd.leases ] || touch /var/lib/dhcp/dhcpd.leases; \
    chown root:dhcpd /var/lib/dhcp /var/lib/dhcp/dhcpd.leases; \
    chmod 775 /var/lib/dhcp ; chmod 664 /var/lib/dhcp/dhcpd.leases; \
    if [ ! -d /run/dhcp-server ]; then mkdir -p /run/dhcp-server ; chown dhcpd /run/dhcp-server ; chmod 775 /run/dhcp-server; fi; \
    exec dhcpd -user dhcpd -group dhcpd -f -4 -pf /run/dhcp-server/ -cf $CONFIG_FILE $INTERFACES'


Still need to fix hardcoded PID filename instead of /etc/default/isc-dhcp-server value...

Nicorac (nicorac) wrote :

After a few investigation I found that my previous fix does not fix the bug at boot, at least on my Ubuntu 18.04 server.

There's no need to manually create the /run/dhcp-server folder since dhcpd automatically creates the needed PID file parent folders by itself.

It only happens at boot so the bug shoud be somewhere else, maybe something in startup sequence/dependencies.
With the original .service file, PID file /run/dhcp-server/ is not created (but server is running); manually restarting the service after boot will create the PID file correctly.

I've workarounded the bug by hardcoding PID file names WITHOUT folder:
/lib/systemd/system/isc-dhcp-server.service ==> "-pf /run/"
/lib/systemd/system/isc-dhcp-server6.service ==> "-pf /run/"

and it works correctly after boot.

Le corre (mulbzh) wrote :

same problem for me with ubuntu 18. The PID is not create !

no update for this case ?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers