On Mon, 06 Jun 2005 17:11:46 -0400 "Alan DeKok" <aland@ox.org> wrote:
Marcin Jessa <lists@yazzy.org> wrote:
You can send a HUP signal to th eserver. That would require apache to have access to the radius deamon when using a web-based interface.
Uh, no.
The way I understand it, say a PHP script used to HUP radiusd would get executed as the httpd user. In that case the httpd deamon would need to be added to the sudoers group like this: www your.server = NOPASSWD: /usr/local/sbin/radiusd How else can this be done?
Even worse, it'd be pretty much impossible to write an secure GUI application to remotely access freeradius and make it reread the data stored in SQL since activating the changes made in the nas table will require sending HUP signal to the server.
You're having a web page update RADIUS clients in SQL, and you're worried about a "secure" GUI? That makes no sense.
That actually makes sense. In both cases a user can be granted only certain privilegues by the tool he/she uses not being able to do any harm to the radius server. Anyway, a well coded web or GUI application shouldn't be less secure as a *NIX server granting access to remotely accessible services like sshd or smtpd.
If the application can update the SQL data, you've already lost most of the security of your system. It means that someone breaking in through that application can update SQL, and then use a malicious RADIUS client to further attack the server.
The FreeRadius daemon can be remotely accessed and it updates data stored in SQL database. Does it make it unsecure ? There is allways a chance someone can do something nasty with some tool.
Maybe a wrapper for that could fix it but IMHO it's not a very "elegant" solution.
A web GUI updating the configuration for a security-critical application isn't a very "elegant" solution, either.
What in your opinion would make an elegant solution to create a user-friendly tool to configure FreeRadius ?
Source code modifications. Can this be added to the todo list?
Whose?
I was convinced you were a part of the developers team and every project I know of has certain goals and milestones. Thanks, Marcin.