Not-really-a-bug issue with rlm_unix and maybe other modules

Mon Oct 17 12:28:11 CEST 2005

Hi,

I had a problem with the Radius server where I was using the rlm_unix
module to authenticate users against the passwd and shadow files, but even
when the correct login and password was being used the user was not being
authenticated. There was nothing reported in the log files at all apart
from "Authentication refused".

After much digging around and scrabbling through the source code I
eventually found out that the permissions on the /etc/shadow file were
incorrect. The permissions were 0400 with a group ownership of "sys"
instead of being 0440 with a group ownership of "shadow" (or any other
group of which the freerad user was a member), Changing the permissions and
group membership fixed the problem.

To make other people's lives easier I would like to request an update to
the rlm_unix module to report a permissions error, or simply to report the
output of strerror() to the log file, when such file errors occur.

In the rlm_unix source file files are opened using the code:

function_name(function defs) {
                FILE            *file = fopen(fname, "ro");
                struct passwd   *pwd = NULL;
                if(file == NULL) return NULL;
...

I would suggest replacing the last line above with:

                if(file == NULL) {radlog(L_ERR, strerror(errno)); return
NULL; }

or whatever equivalent is required. I don't know about the portability of
the strerror() function though, nor of all the details required when
calling the radlog function.

|\/|artin
--
Senior Network Administrator, NEC (Europe) Ltd.
Acton extension: 3379
NEC*Net: 800-44-21-3379
Direct: +44 20 8752 3379
Fax: +44 20 8752 3389
Mobile: +44 7721 869 356
*****************************************************************
IMPORTANT: The information contained in this e-mail and attachment (if any)
is intended for the person to whom it is addressed and may contain
confidential and/or privileged information. The contents of this message
may contain personal views which are not the views of NEC Europe Ltd or its
subsidiaries, unless specifically stated. You should not copy, retain,
forward or disclose its contents to anyone else, or take any action based
upon it, if it is not addressed to you personally.  If you have received
this e-mail in error please contact the sender immediately. Any legally
binding agreement resulting from its content must be made separately in a
printed medium.
*****************************************************************