Starting radius issue - configuration files globaly readable.
Hi! I have just compiled the latest CVS and whenever I try to start radius I get the following info: Configuration file /home/radius/freeradius/raddb/radiusd.conf is globally readable. This is because I use the symbolic links to files. Can this restriction be somehow removed?? Bests -tomasz
tzieleniewski wrote:
Hi!
I have just compiled the latest CVS and whenever I try to start radius I get the following info: Configuration file /home/radius/freeradius/raddb/radiusd.conf is globally readable.
This is because I use the symbolic links to files. Can this restriction be somehow removed??
Edit the source code. I will likely be updating the checks to be a little smarter than what they are right now. But having the config files globally readable means that anyone can pretend to be the RADIUS server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On Thu 08 Feb 2007 13:58, Alan DeKok wrote:
tzieleniewski wrote:
Hi!
I have just compiled the latest CVS and whenever I try to start radius I get the following info: Configuration file /home/radius/freeradius/raddb/radiusd.conf is globally readable.
This is because I use the symbolic links to files. Can this restriction be somehow removed??
Edit the source code.
I will likely be updating the checks to be a little smarter than what they are right now. But having the config files globally readable means that anyone can pretend to be the RADIUS server.
I have to say that this caught me out also when I upgraded one of my radius servers yesterday. My spec files had radiusd.conf as world readable, but clients.conf and sql.conf etc (everything with passwords in them) as only radiusd group readable. Next time you make a change like this can you give a heads up to packagers? :-) It still might be worth notifying the debian guys etc... Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc
Peter Nixon wrote:
I have to say that this caught me out also when I upgraded one of my radius servers yesterday. My spec files had radiusd.conf as world readable, but clients.conf and sql.conf etc (everything with passwords in them) as only radiusd group readable.
Next time you make a change like this can you give a heads up to packagers? :-)
OK. In somewhat of a defense, there's no official release based on that code yet. I'm going to update the checks to make them a little less restrictive. ${raddb} should be o-rwx. Any files within ${raddb} can have any permission they want. Sound OK? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On Fri 09 Feb 2007 12:25, Alan DeKok wrote:
Peter Nixon wrote:
I have to say that this caught me out also when I upgraded one of my radius servers yesterday. My spec files had radiusd.conf as world readable, but clients.conf and sql.conf etc (everything with passwords in them) as only radiusd group readable.
Next time you make a change like this can you give a heads up to packagers? :-)
OK. In somewhat of a defense, there's no official release based on that code yet.
I'm going to update the checks to make them a little less restrictive. ${raddb} should be o-rwx. Any files within ${raddb} can have any permission they want.
Sound OK?
0750 for the dirs and 0640 for the files is a pretty reasonable set of permissions in my opinion... Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc
Peter Nixon wrote:
0750 for the dirs and 0640 for the files is a pretty reasonable set of permissions in my opinion...
Yes. I'll poke the Makefiles so that when the server is built, the local files have the correct permissions before installation. That will help, too. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Peter Nixon -
tzieleniewski