On 6 Mar 2014, at 09:41, Alan DeKok <aland@deployingradius.com> wrote:
msheiny@seas.upenn.edu wrote:
I'm running FreeRadius 2.2.0 and am looking for advice on resolving a permissions issue I am running into with a third-party pam module.
You've configured FreeRADIUS to use rlm_pam ?
As far as freeradius goes, I have it configured how I would like - radius authentication is being checked against PAM as I intended. The problem is that this pam module I am running currently requires root permissions but I would prefer to keep radiusd running as a restricted user. I've confirmed I can get around the issue by specifying radiusd to run as root but this is not desired.
Well, you don't really have a choice.
So my question - what would be the best way to run the freeradius pam sub-routine as root but keep the rest of the freeradius system runnning as my restricted user?
You can't have part of a process running as root, and another part as non-root. Process UID is global to the process.
I'm trying to avoid editing source code if I can help it. I realize this is not strictly related to freeradius but figured there may be a freeradius setting I'm not familiar here.
If you really care, you can run 2 RADIUS servers. One, which has *only* rlm_pam and runs as root. The other, running as a radius user, which proxies (some) packets to the first one.
Ah *that* pam module. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2