Hi,
looking a the code inside rad_mkdir, it realises that the directory exists, but then tries a chmod() with hard-wired permissions to 0700 (rlm_linelog.c harwired this value) (why?) which fails (why, I don't know, I'm root after all).
SELinux?
No, turned out that the directory is owned by root, but the attempt at chmod() was after radiusd dropped its UID/GID to the non-privileged radiusd/radiusd. In effect, radiusd at runtime forces the log dir to have same owner that is also the uid/gid of the daemon (else calling chmod() is not authorized); and it scrubs any changes to in permissions which an admin may do on the filesystem himself. Even if the same-ownership is the default on many installations, and 755 is probably defaulty as well, enforcing that silently in code is a significant behaviour change (and none I see in the Changelog even). Not what I expected in a patchlevel update anyway.
That chmod() wasn't done in earlier versions; used stat() and returned 0 without making a fuss.
It's an attempt at security. If the call to rad_mkdir() says that the directory should be 0755, then the directory should be set to that.
I've pushed a fix.
Hm. If the admin thinks otherwise, shouldn't his will be respected? Also, the fix looks misplaced? I think it's the chmod() here: if (rcode < 0) { if (errno == EEXIST) { return chmod(directory, mode); } The directory exists, so this is the code path with the "strange" chmod(). Your change doesn't do the chmod() on actual newly created directories. I believe that *there* it makes sense to keep the chmod() because you'll be populating something that didn't exist before with a sane default. At the other place, you're changing things an admin did without asking him. Greetings, Stefan Winter
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66