[PKG-Openstack-devel] Bug#751524: Bug#751524: neutron-dhcp-agent: dnsmasq process do not have permission to access his option file

[Thomas Goirand]

On 06/14/2014 01:18 AM, Romain Chantereau wrote:
> Package: neutron-dhcp-agent
> Version: 2014.1.1-2~bpo70+1
> Severity: normal
> 
> Dear Maintainer,
> 
> After installing and following the OpenStack installation guide I faced an issue with instance not getting his IP from the DHCP server.
> 
> After some investigation, syslog reported:
> /var/lib/neutron/dhcp/{id}/host : Permission denied
> 
> And as the dnsmasq process is launch as "nobody", and as the /var/lib/neutron is only rx for owner and group (neutron) only (no right for others), the dns masq process was unable to read his allocable IP pool.
> 
> I just done a chmod o+x /var/lib/neutron and it worked.
> 
> Could you fix it in the package (finding a way to run dnsmasq as neutron user or setting the suffisant permission on the directory)?
> 
> Thanks for your work.
> Regards,
> Romain

This is IMO a problem with Neutron upstream code, which should be
running dnsmasq as neutron user. If you do:
dnsmasq --help | grep user

then you see that there is a --user=<username> option, which isn't in
use in the spawn_process() function in neutron/agent/linux/dhcp.py. We
could simply add that option there, which would be a much better fix
than doing a chmod o+x /var/lib/neutron, which may have system wide
security implications.

Such change should of course be proposed upstream, rather than just
patched locally. I would strongly suggest opening a thread on the
OpenStack dev list. It is my experience that such unix rights change
often have security implications which are hard to foresee, and I would
hate to introduce a Debian specific security issue.

Your thoughts?

Cheers,

Thomas Goirand (zigo)