dhcp3-server fails to drop privileges properly

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Thank you for reporting this bug to Ubuntu. karmic has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against karmic is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

For quantal I'll simply start using --enable-paranoia, introduced upstream with 4.1 that adds support for -user and -group to dhcpd.

I confirmed with the testcase above that groups is properly set using that option.

For previous releases, I think the attached patch should do the trick.

security-team: any problem with that patch? do you want to have this issued as a security fix for previous releases?

Thanks Stéphane,

This isn't a security flaw per se requiring a CVE. If you have something to SRU in previous releases, you can include this, else we'll bundle it next time we do have a security issue to fix.

This bug was fixed in the package isc-dhcp - 4.2.4-1ubuntu1

---------------
isc-dhcp (4.2.4-1ubuntu1) quantal; urgency=low

  * Merge from Debian. Remaining changes:
    (LP: #768171, LP: #841182, LP: #881558, LP: #872929, LP: #616809)
    - Use upstart jobs for isc-dhcp-server and isc-dhcp-relay.
    - Add IPv6 support to udeb dhclient-script (forwarded as Debian #635897).
    - Add an apport hook to isc-dhcp-client and isc-dhcp-server.
    - Add an apparmor profile to isc-dhcp-client and isc-dhcp-server.
    - Update default dhclient.conf to ask for IPv6 configuration.
    - Patches:
      + dhclient-fix-backoff
      + dhclient-more-debug
      + dhclient-onetry-call-clientscript
      + dhclient-safer-timeout
      + dhcpd.conf-subnet-examples
      + multi-ip-addr-per-if
      + onetry_retry_after_initial_success
      + revert-next-server
  * Set fqdn.fqdn to the result of gethostname(); (LP: #991360)
  * Replace old droppriv and deroot patches by use of --enable-paranoia
    and matching -user and -group parameters to dhcpd. (LP: #727837)
  * Allow read access to /etc/dhcp/ddns-keys/* for ddns. (LP: #341817)
    It's expected that people generate one key per zone and have it stored
    in both /etc/bind9 and /etc/dhcp/ddns-keys/ for security reason.
  * Fix apport hook to work with python3.

isc-dhcp (4.2.4-1) unstable; urgency=low

  * New upstream release
  * debian/control: reformatted Uploaders so that dch doesn't think I'm making
    NMUs
  * debian/rules: do a clean between the LDAP-enabled build and the
    non-LDAP-enabled one, so that no LDAP-related artefacts are accidently
    incorporated into the non-LDAP build
  * debian/dhclient-script.*: conditionalise the chown/chmod of the new
    resolv.conf on the existence of the old one (closes: #595400)
  * debian/dhclient-script.linux: comply with RFC 3442 and ignore
    the routers option if the rfc3442-classless-static-routes option is present
    (closes: #592735)
  * debian/dhclient-script.kfreebsd: fix subnet mask handling (closes: #677985)

isc-dhcp (4.2.2.dfsg.1-5) unstable; urgency=medium

  [ Andrew Pollock ]
  * debian/dhclient.conf: send the hostname (closes: #151820)

  [ Michael Gilbert ]
  * Fix cve-2011-4868: error in DDNS handling with IPv6 (closes: #655746)
  * Fix cve-2011-4539: error in regular expression handling
    (closes: #652259)
  * Make dependencies diff-able
  * Add myself to uploaders
  * Remove all automatically generated files in clean rule
  * Medium urgency for security updates

isc-dhcp (4.2.2.dfsg.1-4) unstable; urgency=low

  * The "Zoe woke up at 4am and I couldn't get back to sleep so I had some
    extra time to work on this" release
  * patch the Makefile for the embedded BIND libraries so that autoconf is run
    so that the modification to configure.in to fix the FTBFS on kFreeBSD
    actually does something useful (closes: #643569)

isc-dhcp (4.2.2.dfsg.1-3) unstable; urgency=low

  * debian/control: remove transitional packages
  * debian/rules: apply the intent of Pierre Chifflier's patch to enable
    hardening options (closes: #644413)
  * debian/control: also add inetutils-ping to the dependencies for
    isc-dhcp-client on hurd (...

Fix committed to my local branch, should get uploaded later this week.

Thank you for reporting this bug to Ubuntu. natty has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against natty is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Hello Juha, or anyone else affected,

Accepted isc-dhcp into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/isc-dhcp/4.1.ESV-R4-0ubuntu5.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

I remember testing this and nobody reported any regression, good to go.

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

This bug was fixed in the package isc-dhcp - 4.1.ESV-R4-0ubuntu5.6

---------------
isc-dhcp (4.1.ESV-R4-0ubuntu5.6) precise-proposed; urgency=low

  [ Scott Moser ]
  * debian/apparmor-profile.dhcpd: use include directory to enable
    other packages to re-use isc-dhcp-server. (LP: #1049177)

  [ Stéphane Graber ]
  * Update onetry_retry_after_initial_success to disable the onetry variable
    early enough to actually prevent dhclient from exiting. (LP: #974284)
  * Update droppriv patch to also call initgroups() (LP: #727837)
 -- Stephane Graber <email address hidden> Tue, 18 Sep 2012 10:34:10 -0400

Thank you for reporting this bug to Ubuntu. hardy has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against hardy is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against oneiric is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

dhcp3 was superceded by isc-dhcp between lucid and precise and therefore is not available under any supported ubuntu release. Marking the task dhcp3 as "Won't Fix".