I came across this bug myself and decided to take a closer look. On trusty, as mentioned, we need the extra PARANOIA patch fro 4.3.3. This will chown the lease file to dhcpd:dhcpd so that afterwards rotation works. I backported a very minimal patch for this. However, the upstart job needed to be adjusted to have this instead: ... # The leases files need to be root:dhcpd for dropping privileges [ -e /var/lib/dhcp/dhcpd.leases ] || touch /var/lib/dhcp/dhcpd.leases chown root:dhcpd /var/lib/dhcp /var/lib/dhcp/dhcpd.leases chmod 775 /var/lib/dhcp chmod 664 /var/lib/dhcp/dhcpd.leases ...
'capability chown' needs to be added to the apparmor profile. This allows root to open the file in /var/lib/dhcp without capability dac_override or capability fowner, allows the fchown of the lease file to dhcpd:dhcpd, then allows the dhcpd user to manage the leases and leases~ files. I have test packages in https://launchpad.net/~ubuntu- security-proposed/+archive/ubuntu/ppa/+packages if people want to try them out. If they work for affected users, I'll pursue an SRU to trusty- updates. I didn't look at xenial very closely, but it doesn't seem to need the root:dhcpd setup. Upstream must have reordered priv dropping and the fchown, etc for this to work. While it would be possible to backport these changes to trusty, I prefer the minimal patch and change to the upstart job in the ppa for a stable release update. ** Changed in: isc-dhcp (Ubuntu Trusty) Status: Confirmed => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1186662 Title: isc-dhcp-server fails to renew lease file To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1186662/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs