KEA 1.8 API config-write command not enough permissions on /etc/kea/kea-dhcp4.conf, same permissions as in KEA 1.4
name: Bug report
about: KEA 1.8 API config-write command not enough permissions on /etc/kea/kea-dhcp4.conf
If you believe your bug report is a security issue (e.g. a packet that can kill the server), DO NOT REPORT IT HERE. Please use https://www.isc.org/community/report-bug/ instead or send mail to security-office(at)isc(dot)org.
Describe the bug We currently run KEA 1.4 on Ubuntu 16.04 containers within our production environment. The KEA API is used with the write-config command to push an updated config to the KEA container. In version 1.4 this works perfect.
At the moment we are rebuilding our environment on new servers. KEA is still deployed in containers with LXC, except we upgraded to Ubuntu 20.04 and KEA 1.8. KEA is installed via the Cloudsmith repositories. The kea-ctrl agent is deployed and working correctly, except for the config-write command. When this command is executed in our new environment, we receive the following message:
result text
1 Error during write-config:Unable to open file /etc/kea/kea-dhcp4.conf for writing
This problem is solved by editing the permissions on the file so that the public has write_ permissions on the file. In the old environment we didn't had to change the file permissions to make this work.
To Reproduce Steps to reproduce the behavior:
- Make sure the kea-ctrl-agent is working correctly.
- The default file permissions on kea-dhcp4.conf in the /etc/kea/ folder is unchanged: so -rw-r--r-- (chmod 644).
- Execute an API call with the config-write command and argument /etc/kea/kea-dhcp4.conf.
- The following error is thrown: Error during write-config:Unable to open file /etc/kea/kea-dhcp4.conf for writing.
- Change the file permissions on /etc/kea/kea-dhcp4.conf to: -rw-r--rw- (chmod 646).
- Execute an API call with the config-write command and argument /etc/kea/kea-dhcp4.conf.
- API call is successfull.
Expected behavior KEA 1.4 on Ubuntu 16.04 with the same file permissions executes the config-write API call successfull with the default file permissions (-rw-r--r-- chmod 644)
The expected behavior in KEA 1.8 on Ubuntu 20.04 was the same. But we had to change the file permissions.
Environment:
- Kea version: 1.8
- OS: Ubuntu 20.04 host, KEA is running in LXC Ubuntu 20.04 containers.
- HA Hooks are loaded.
Additional Information The actual questions is: Do we need to change the file permissions to execute some of the API calls, where this wasn't necessary on KEA 1.4. And if this is necessary, is this documented somewhere?
Contacting you Contact us be reacting to this post please.