What else should radmin do?

Arran Cudbard-Bell a.cudbardb at freeradius.org
Thu Feb 5 12:10:11 CET 2015 

> On 5 Feb 2015, at 16:29, Rui Ribeiro <ruyrybeyro at gmail.com> wrote:
> 
> Interesting. You are right, I forgot to add, unlike you, I change the
> radmin group from the default freerad for security reasons, that is
> probably the cause. I do not think it is a good idea to have the control
> socket as freerad, if I am wrong someone please correct me.
> 
> As for debian packaging, i am building my debs from the freeradius source,
> indeed. I may be wrong, may I had for a short time radmin working as
> non-root in 2.1.12.
> 

radmin will work as none root.

It's dependent on OS whether socket file permissions are enforced.

If they are (Linux) you need to change the radiusd user/group to one that's permissive enough to allow whichever user you want to use to connect to the socket as, read/write access to the socket file.

After you get over that hurdle, you need to make sure the euid/egid of radmin match whatever you have set for the socket, so peercred authentication succeeds.

I have a pull request open for review:
	https://github.com/FreeRADIUS/freeradius-server/pull/892

To use file system permissions to enforce access. This should be significantly more flexible.

-Arran


> Regards
> 
> 
> radius2:~$ apt-cache policy freeradius
> freeradius:
>  Installed: 3.0.7+git
>  Candidate: 3.0.7+git
>  Version table:
> *** 3.0.7+git 0
>        500 http://debian.srv.rede/local/ iscte/wheezy amd64 Packages
>        100 /var/lib/dpkg/status
> 
> 
> On 5 February 2015 at 09:22, Bjørn Mork <bjorn at mork.no> wrote:
> 
>> Rui Ribeiro <ruyrybeyro at gmail.com> writes:
>> 
>>> Hi Alan,
>>> 
>>> It would be interesting to make radmin work as non-root. At least in
>> Debian
>>> 7 and 8, it has not work since 2.2.2 at least;
>> 
>> Debian 7 has 2.1.12.  Debian 8 has 2.2.5. And radmin works fine as
>> non-root in both.
>> 
>> I did a test install on Debian sid (same freeradius package as in Debian
>> 8 "jessie"), just to verify right now.  This is using default Debian
>> configs, except for enabling the control socket:
>> 
>> frtest1:/etc/freeradius/sites-enabled# ln -s
>> ../sites-available/control-socket
>> frtest1:/etc/freeradius/sites-enabled# /etc/init.d/freeradius restart
>> [ ok ] Stopping FreeRADIUS daemon: freeradius.
>> [ ok ] Starting FreeRADIUS daemon: freeradius.
>> 
>> 
>> test at frtest1:~$ apt-cache policy freeradius
>> freeradius:
>>  Installed: 2.2.5+dfsg-0.2
>>  Candidate: 2.2.5+dfsg-0.2
>>  Version table:
>> *** 2.2.5+dfsg-0.2 0
>>        500 http://ftp.no.debian.org/debian/ sid/main amd64 Packages
>>        100 /var/lib/dpkg/status
>> test at frtest1:~$ id
>> uid=1001(test) gid=1001(test) groups=1001(test),112(freerad)
>> test at frtest1:~$ /usr/sbin/radmin
>> radmin version 2.2.5 - FreeRADIUS Server administration tool.
>> Copyright (C) 2008-2012 The FreeRADIUS server project and contributors.
>> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>> PARTICULAR PURPOSE.
>> You may redistribute copies of FreeRADIUS under the terms of the
>> GNU General Public License v2.
>> radmin> show version
>> FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Oct 24
>> 2014 at 02:05:28
>> radmin> show uptime
>> Up since Thu Feb  5 10:14:02 2015
>> 
>> 
>>> I am using 3.0.7 from git atm.
>> 
>> OK, so your problems has nothing to do with any Debian packaging.
>> 
>> 
>> Bjørn
>> 
> 
> 
> 
> -- 
> Regards,
> 
> --
> Rui Ribeiro
> Senior Sysadm
> ISCTE-IUL
> https://www.linkedin.com/pub/rui-ribeiro/16/ab8/434
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

More information about the Freeradius-Users mailing list