NAS info + MySQL

Marcin Jessa lists at yazzy.org
Mon Jun 6 23:59:44 CEST 2005 

On Mon, 06 Jun 2005 17:11:46 -0400
"Alan DeKok" <aland at ox.org> wrote:

> Marcin Jessa <lists at yazzy.org> wrote:
> > >   You can send a HUP signal to th eserver.
> > That would require apache to have access to the radius deamon when
> > using a web-based interface.
> 
>   Uh, no.
 
The way I understand it, say a PHP script used to HUP radiusd would get executed as the httpd user. In that case the httpd deamon would need to be added to the sudoers group like this:
www     your.server = NOPASSWD: /usr/local/sbin/radiusd
How else can this be done?
 


> > Even worse, it'd be pretty much impossible to write an secure GUI
> > application to remotely access freeradius and make it reread the
> > data stored in SQL since activating the changes made in the nas
> > table will require sending HUP signal to the server.
> 
>   You're having a web page update RADIUS clients in SQL, and you're
> worried about a "secure" GUI?  That makes no sense.

That actually makes sense. In both cases a user can be granted only certain privilegues by the tool he/she uses not being able to do any harm to the radius server.
Anyway, a well coded web or GUI application shouldn't be less secure as a *NIX server granting access to remotely accessible services like sshd or smtpd.

> 
>   If the application can update the SQL data, you've already lost most
> of the security of your system.  It means that someone breaking in
> through that application can update SQL, and then use a malicious
> RADIUS client to further attack the server.

The FreeRadius daemon can be remotely accessed and it updates data stored in SQL database. 
Does it make it unsecure ?
There is allways a chance someone can do something nasty with some tool.


> > Maybe a wrapper for that could fix it but IMHO it's not a very
> > "elegant" solution.
> 
>   A web GUI updating the configuration for a security-critical
> application isn't a very "elegant" solution, either.

What in your opinion would make an elegant solution to create a user-friendly tool to configure FreeRadius ?


> > >   Source code modifications.
> > Can this be added to the todo list?
> 
>   Whose?
> 

I was convinced you were a part of the developers team and every project I know of has certain goals and milestones.


Thanks,
Marcin.

More information about the Freeradius-Users mailing list