On 10 Mar 2014, at 19:28, Alan DeKok <aland@deployingradius.com> wrote:
So... putting 2 and 2 together, we get 4. Setting "group = shadow" means "run FreeRADIUS as group shadow". Since /etc/shadow can be read by anyone in group "shadow", this means that FreeRADIUS will now be able to read /etc/shadow.
As our friend has unsubscribed, this is mostly for anyone reading the archives. I suspect the problem here is either SELinux or the shadow group not existing. RHEL doesn't have a shadow group by default - as it's a nasty hack and potential source of vulnerability, you're expected to have the sense to create it yourself if its needed. It's also tagged with a unique policy type: [root@orps1 ~]# ls -alZ /etc/shadow ----------. root root system_u:object_r:shadow_t:s0 /etc/shadow Which I *think* would cause an AVC denial. Then there's the small matter of /etc/shadow having no permission mask by default. But someone who's been doing this for a long time would have checked such things, or even provided us with the output of strace, right? :) Regards, Adam Bishop Systems Development Specialist gpg: 0x6609D460 t: +44 (0)1235 822 245 xmpp: adamb@jabber.dev.ja.net Janet, the UK's research and education network. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238