NAS info + MySQL
Alan DeKok
aland at ox.org
Tue Jun 7 21:05:00 CEST 2005
Marcin Jessa <lists at yazzy.org> wrote:
> One more thing about this solution is you would need to either run
> radiusd as root or chown radiususer:radiusgroup the radius configs
> in order to be able to HUP radiusd. Radius daemon is started as
> root and then switched to the unprivileged user defined in
> radiusd.conf Radius will die if it gets signal HUP and the config
> files are not owned by the unprivileged user.
No. It will die if it can't read the files. That's different.
> Having radius configs owned by unprivileged user increases security
> risk, since this will grant an attacker who manages to abuse the
> server access to change the configs... Either way, sending -HUP
> signal to a running radius daemon seems like a bad idea.
Only if the file permissions prevent it.
$ chown -R root.radiusd /etc/raddb
$ chmod o+rw /etc/raddb/*
$ chmod g-w /etc/raddb/*
$ chmod g+r /etc/raddb/*
And have the server run as user "radiusd", group "radiusd". It has
read permissions to radiusd.conf, so a HUP will work. It doesn't have
write permissions, so it's secure.
This is what different groups & file permissions are for.
Alan DeKok.
More information about the Freeradius-Users
mailing list