Also, I think I found another problem: in command.c, I believe that if (getpeereid(listener->fd, &uid, &gid) < 0) { should be if (getpeereid(newfd, &uid, &gid) < 0) { Because right now, it reports that connections are always from uid 0, even if the caller is definitely a different uid. Client window: $ sudo su - www-data $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ ruby -e 'puts Process.euid, Process.uid' 33 33 $ strace /usr/sbin/radmin (same infinite loop as before) Server output shows the following: Ready to process requests. ... new connection request on command socket. Unauthorized connection to /var/run/freeradius/freeradius.sock from gid 0 Ready to process requests. (But it's not gid 0, it's gid 33!) strace on the freeradius -X: write(1, "Ready to process requests.\n", 27Ready to process requests. ) = 27 select(211, [203 205 206 207 208 209 210], NULL, NULL, NULL) = 1 (in [207]) write(1, " ... new connection request on c"..., 47 ... new connection request on command socket. ) = 47 accept(207, {sa_family=AF_FILE, NULL}, [2]) = 211 getsockopt(207, SOL_SOCKET, SO_PEERCRED, "\231%\0\0\0\0\0\0\0\0\0\0", [12]) = 0 write(1, "Unauthorized connection to /var/"..., 74Unauthorized connection to /var/run/freeradius/freeradius.sock from uid 0 ) = 74 close(211) = 0 write(1, "Ready to process requests.\n", 27Ready to process requests. ) = 27 select(211, [203 205 206 207 208 209 210], NULL, NULL, NULL So getsockopt returns 0, which is success. I just think it's asking about the wrong socket. Regards, Brian.