Alan DeKok wrote:
And the server SHOULD be run as "root" the first time to generate the certificates. You should then fix the permissions to match your local policy.
The Debian policy is to run FreeRADIUS as non-root user. I'm going to fix the Debian post-install script (which runs as root) to create the default certificates for a new install. BTW I noticed that "bootstrap" creates by default world-readable certificates. Perhaps the following patch may be useful: Index: raddb/certs/bootstrap =================================================================== RCS file: /source/radiusd/raddb/certs/bootstrap,v retrieving revision 1.2 diff -u -r1.2 bootstrap --- raddb/certs/bootstrap 18 Aug 2007 13:34:31 -0000 1.2 +++ raddb/certs/bootstrap 19 Aug 2007 12:20:56 -0000 @@ -10,5 +10,6 @@ # # $Id: bootstrap,v 1.2 2007/08/18 13:34:31 aland Exp $ # +umask 027 cd `dirname $0` make ca server dh random -- Nicolas Baradakis