Mimic lower_user in FR2

Alexander Clouter alex at digriz.org.uk
Thu Sep 24 17:24:30 CEST 2009


Thor Spruyt <thor.spruyt at telenet.be> wrote:
> 
> Since lower_user doesn't exist anymore in FR2, I was thinking of doing 
> the following in FR2 to mimic the behaviour, which seems to be working 
> correctly:
> 
> In "hints" file:
> 
> DEFAULT User-Name !~ /^$/
>        User-Name := `%{exec:/opt/tolower %{User-Name}}`,
>        Fall-Through = Yes
> 
> DEFAULT Stripped-User-Name !~ /^$/
>        Stripped-User-Name := `%{exec:/opt/tolower %{Stripped-User-Name}}`,
>        Fall-Through = Yes
> 
> 
> Content of "/opt/tolower":
> 
> #!/bin/sh
> 
> echo -n "$1" | tr '[A-Z]' '[a-z]'
> 
> Is there any reason why I should not do this or why it's not recommended?
> The servers on which I want to do this is not heavily loaded (<1req/s).
> 
Well although the load is not a problem, I mean you should feel *really* 
dirty that every time a packet goes through your box, you system() out 
twice.

Hell I feel dirty enough when doing the following for the not-often 
upstream proxying requests we do:
----
update proxy-request {
  NAS-IP-Address := `/bin/hostname -i`
  NAS-Identifier := `/bin/hostname -f`
}
----

This however is just me being lazy until I patch FreeRADIUS to give me 
some static runtime variable action :)

You should do this with Perl if you really want or alternatively I'll 
start sending your RADIUS server something like the following as you do
no validation at all (you get the idea, might work, probably won't, but
why risk it?):
----
User-Name = '\"; rm -rf /; echo \"'
----

Cheers

-- 
Alexander Clouter
.sigmonster says: The best things in life go on sale sooner or later.




More information about the Freeradius-Users mailing list