Fwd: Shell script execution
Hello, I'm trying to add a shell script value into a variable to use it in the server response. To do it, I add the following line to my /sites-available/default file (in the post-proxy section) : Filter-Id := `/usr/sbin/ldap_get_group_info.sh %{User-name}`
But nothing that happens. If I use Filter-Id := `test 123`
I end up with the message "test 123". My Freeradius version is *freeradius-2.1.12-6.el6.x86_64* and I'm running it on Redhat 6.6. My script turns ok when I run it directly from a command line. The script code is : #! /bin/bash
userDN=$(ldapsearch -h 10.2.0.86 -D "cn=Administrator,cn=Users,dc=domain,dc=fr" -w "pp" -b "dc=domain,dc=fr" -p 389 "(&(mail=$1)(objectClass=user))" cn -LLL | grep "dn: ") userDN=$(echo $userDN | sed "s/dn: //g")
echo "userDN = $userDN" >> /tmp/test
var=$(ldapsearch -h 10.2.0.86 -D "cn=Administrator,cn=Users,dc=domain,dc=fr" -w "pp" -b "dc=domain,dc=fr" -p 389 -z 1 "(&(member=$userDN)(cn=vpn_*)(objectClass=group))" cn -LLL | grep "cn: ")
vpn_cn=$(echo "$var" | sed "s/cn: //g") ret=$(ldapsearch -h 10.2.0.86 -D "cn=Administrator,cn=Users,dc=domain,dc=fr" -w "pp" -b "dc=domain,dc=fr" -p 389 "(cn=$vpn_cn)" info -LLL | grep "info")
attr=$(echo $ret | sed "s/info: //g") echo "return attribute = $attr" >> /tmp/test echo "$attr"
I also did the following tests (test -> result) Filter-Id := '/usr/sbin/ldap_get_group_info.sh %{User-name}' ->
/usr/sbin/ldap_get_group_info.sh %{User-name}
Filter-Id := "/usr/sbin/ldap_get_group_info.sh %{User-name}" ->
/usr/sbin/ldap_get_group_info.sh monUserTest
Filter-Id := /usr/sbin/ldap_get_group_info.sh %{User-name} ->
/usr/sbin/ldap_get_group_info.sh
Does someone knows why it doesn't work? Is there a way to enable some logs to see why it doesn't work? Thanks in advance for your help, Marc
Filter-Id := '/usr/sbin/ldap_get_group_info.sh %{User-name}' ->
/usr/sbin/ldap_get_group_info.sh %{User-name}
That won't work. Single quotes are literally quoting what's in the quotes.
Filter-Id := "/usr/sbin/ldap_get_group_info.sh %{User-name}" ->
/usr/sbin/ldap_get_group_info.sh monUserTest
That looks better, but it doesn't give you what you want.
Does someone knows why it doesn't work? Is there a way to enable some logs to see why it doesn't work?
Yes, run radiusd -X to run it in debug mode, then do a request. Check that user radiusd actually has permissions to execute the script. Try this: Filter-Id := "%{echo:/usr/sbin/ldap_get_group_info.sh %{User-Name}}" That should do the trick provided that user radiusd has permission to execute the script. Also, you could do the searches you're doing with the LDAP module? :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
Hi, thanks for your answer. I've tried to do Filter-Id := "%{echo:/usr/sbin/ldap_get_group_info.sh %{User-Name}}" as you told but in the* radiusd -X* log I've got WARNING: Unknown module "echo" in string expansion "%" Then I've tried to do my first attempt (but using the* radiusd -X *debug mode): Filter-Id := `/usr/sbin/ldap_get_group_info.sh %{User-name}` And it works well. Then I've tried a second time, but without the* radiusd -X* command (using *service radiusd start*), and it didn't work. to resume : Filter-Id := `/usr/sbin/ldap_get_group_info.sh %{User-name}` works if I start Freeradius with *radiusd -X* it doesn't works if I start Freeradius with *service radiusd start* Maybe is a question of script execution time? Thanks again for your help, Marc 2015-04-16 10:32 GMT+02:00 Stefan Paetow <Stefan.Paetow@jisc.ac.uk>:
Filter-Id := '/usr/sbin/ldap_get_group_info.sh %{User-name}' ->
/usr/sbin/ldap_get_group_info.sh %{User-name}
That won't work. Single quotes are literally quoting what's in the quotes.
Filter-Id := "/usr/sbin/ldap_get_group_info.sh %{User-name}" ->
/usr/sbin/ldap_get_group_info.sh monUserTest
That looks better, but it doesn't give you what you want.
Does someone knows why it doesn't work? Is there a way to enable some logs to see why it doesn't work?
Yes, run radiusd -X to run it in debug mode, then do a request. Check that user radiusd actually has permissions to execute the script.
Try this:
Filter-Id := "%{echo:/usr/sbin/ldap_get_group_info.sh %{User-Name}}"
That should do the trick provided that user radiusd has permission to execute the script.
Also, you could do the searches you're doing with the LDAP module?
:-)
Stefan Paetow Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
And it works well. Then I've tried a second time, but without the* radiusd -X* command (using *service radiusd start*), and it didn't work.
Then you've likely got a permissions issue. Check the user radiusd is running as can execute your script. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
as you told but in the* radiusd -X* log I've got WARNING: Unknown module "echo" in string expansion "%"
Ok... that's odd because the echo module is enabled by default in v2.1.12. Check in /etc/raddb/modules for a module called 'echo'.
And it works well. Then I've tried a second time, but without the* radiusd -X* command (using *service radiusd start*), and it didn't work.
Then it's a permission issue. Do this: As root execute: su - --shell=/bin/bash radiusd It should drop you into user radiusd. Then as radiusd execute: /usr/sbin/ldap_get_group_info.sh See whether it works. Then as radiusd, execute: radiusd -X Try your request again. You *should* see a message if FR couldn't execute the script, complete with error message. With Regards Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
Hi, thanks again for the help. As you said I ran the *radiusd -X *command using the radiusd user, but both the script and the freeradius call worked. I also did the following analysis: [root@ALPRRH sites-available]# *radiusd*
[root@ALPRRH sites-available]# ps -elf | grep radiusd
5 S radiusd 2891 1 0 80 0 - 71422 poll_s 08:13 ? 00:00:00 radiusd 0 S root 2926 2392 0 80 0 - 25812 pipe_w 08:15 pts/3 00:00:00 grep radiusd
[root@ALPRRH sites-available]# service radiusd stop
Stopping radiusd: [ OK ] [root@ALPRRH sites-available]# *service radiusd start* Starting radiusd: [ OK ]
[root@ALPRRH sites-available]# ps -elf | grep radiusd
5 S radiusd 2952 1 0 80 0 - 38653 poll_s 08:15 ? 00:00:00
/usr/sbin/radiusd -d /etc/raddb
0 S root 2960 2392 0 80 0 - 25812 pipe_w 08:15 pts/3 00:00:00
grep radiusd
[root@ALPRRH sites-available]# service radiusd stop
Stopping radiusd: [ OK ]
[root@ALPRRH sites-available]# */usr/sbin/radiusd*
[root@ALPRRH sites-available]# ps -edf | grep radiusd
radiusd 3230 1 0 08:54 ? 00:00:00 /usr/sbin/radiusd root 3237 2392 0 08:54 pts/3 00:00:00 grep radiusd
[root@ALPRRH sites-available]# service radiusd stop
Stopping radiusd: [ OK ] [root@ALPRRH sites-available]# *service radiusd start* Starting radiusd: [ OK ]
[root@ALPRRH sites-available]# ps -elf | grep radiusd
5 S radiusd 2952 1 0 80 0 - 38653 poll_s 08:15 ? 00:00:00 /usr/sbin/radiusd 0 S root 2960 2392 0 80 0 - 25812 pipe_w 08:15 pts/3 00:00:00 grep radiusd
On both "service radiusd start", the script call didn't worked. On both "radiusd" and "/usr/sbin/radiusd" the script call worked It looks that in both case is the same user (radiusd) that runs the shell script, but it only works when manually starting Freeradius. Maybe it's a timing issue? Is there a way to see any logs when running *service radiusd start *? My /var/log/raddb/radius.log don't show any detailed information (neither /var/log/radius/radacct/<client IP>/auth-detail-20150415)... 2015-04-16 12:37 GMT+02:00 Stefan Paetow <Stefan.Paetow@jisc.ac.uk>:
as you told but in the* radiusd -X* log I've got WARNING: Unknown module "echo" in string expansion "%"
Ok... that's odd because the echo module is enabled by default in v2.1.12. Check in /etc/raddb/modules for a module called 'echo'.
And it works well. Then I've tried a second time, but without the* radiusd -X* command (using *service radiusd start*), and it didn't work.
Then it's a permission issue. Do this:
As root execute: su - --shell=/bin/bash radiusd
It should drop you into user radiusd.
Then as radiusd execute: /usr/sbin/ldap_get_group_info.sh
See whether it works.
Then as radiusd, execute: radiusd -X
Try your request again. You *should* see a message if FR couldn't execute the script, complete with error message.
With Regards
Stefan Paetow Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
It looks that in both case is the same user (radiusd) that runs the shell script, but it only works when manually starting Freeradius. Maybe it's a timing issue?
no.
Is there a way to see any logs when running *service radiusd start *? My /var/log/raddb/radius.log don't show any detailed information (neither /var/log/radius/radacct/<client IP>/auth-detail-20150415)...
sudo /usr/sbin/radiusd -f -xx -lstdout That'll give you debug output, with the radius process running with its euid/egid running as the ones set in radiusd.conf. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Thanks for your answer. I did as you told ( /usr/sbin/radiusd -f -xx -lstdout), but as I said, when I start freeradius manually, it works well, so I don't have any error in the logs. My problem is to have the same kind of logs when launching Freeradius with the service call (service radiusd start). If I do that, I don't have any logs to see why the script call isen't executed... 2015-04-16 13:32 GMT+02:00 Arran Cudbard-Bell <a.cudbardb@freeradius.org>:
It looks that in both case is the same user (radiusd) that runs the shell script, but it only works when manually starting Freeradius. Maybe it's a timing issue?
no.
Is there a way to see any logs when running *service radiusd start *? My /var/log/raddb/radius.log don't show any detailed information (neither /var/log/radius/radacct/<client IP>/auth-detail-20150415)...
sudo /usr/sbin/radiusd -f -xx -lstdout
That'll give you debug output, with the radius process running with its euid/egid running as the ones set in radiusd.conf.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I did as you told ( /usr/sbin/radiusd -f -xx -lstdout), but as I said, when I start freeradius manually, it works well, so I don't have any error in the logs.
I'll have a look... although, that said, this *is* 2.1.12... which is positively ancient. You really should switch to the FR 3.x stream (although RH, and by association CentOS, won't switch the FR stream to 3.x on the RH/CentOS 6.x platform because it breaks the configuration somewhat. With Regards Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
I know that is not the latest one :( I first try downloaded centOS 7 with Freeradius 3.x, but there is a limitation with one of my client's components that need Freeradius 2.x/ redhat 6.6... Do you think it might be a version 2.x bug? Thanks again for your help, Marc 2015-04-16 14:26 GMT+02:00 Stefan Paetow <Stefan.Paetow@jisc.ac.uk>:
I did as you told ( /usr/sbin/radiusd -f -xx -lstdout), but as I said, when I start freeradius manually, it works well, so I don't have any error in the logs.
I'll have a look... although, that said, this *is* 2.1.12... which is positively ancient. You really should switch to the FR 3.x stream (although RH, and by association CentOS, won't switch the FR stream to 3.x on the RH/CentOS 6.x platform because it breaks the configuration somewhat.
With Regards
Stefan Paetow Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 16 Apr 2015, at 13:43, mdii <mdii.alias@gmail.com> wrote:
I know that is not the latest one :(
I first try downloaded centOS 7 with Freeradius 3.x, but there is a limitation with one of my client's components that need Freeradius 2.x/ redhat 6.6...
If it's a perl or python script the perl and python modules should be compatible between v3.0.x and v2.2.x. If it's a C module, then yes, the API has changed considerably.
Do you think it might be a version 2.x bug?
No. Almost certainly not. I guess it might be an interaction with selinux. You should probably check the audit logs. -Arran
It's a shell script that do some ldapsearch commands 2015-04-16 14:52 GMT+02:00 Arran Cudbard-Bell <a.cudbardb@gmail.com>:
On 16 Apr 2015, at 13:43, mdii <mdii.alias@gmail.com> wrote:
I know that is not the latest one :(
I first try downloaded centOS 7 with Freeradius 3.x, but there is a limitation with one of my client's components that need Freeradius 2.x/ redhat 6.6...
If it's a perl or python script the perl and python modules should be compatible between v3.0.x and v2.2.x.
If it's a C module, then yes, the API has changed considerably.
Do you think it might be a version 2.x bug?
No. Almost certainly not. I guess it might be an interaction with selinux. You should probably check the audit logs.
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 16 Apr 2015, at 13:58, mdii <mdii.alias@gmail.com> wrote:
It's a shell script that do some ldapsearch commands
Then it won't specifically need 2.2.x. The shell script interface hasn't changed, I doubt even the arguments supported by ldapsearch will have changed... Also, consider using the native LDAP module in v3.0.x it's flexible enough for the majority of scenarios, and will be *significantly* faster. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hi, sorry for the double answer :( How do I check the audit logs? 2015-04-16 14:52 GMT+02:00 Arran Cudbard-Bell <a.cudbardb@gmail.com>:
On 16 Apr 2015, at 13:43, mdii <mdii.alias@gmail.com> wrote:
I know that is not the latest one :(
I first try downloaded centOS 7 with Freeradius 3.x, but there is a limitation with one of my client's components that need Freeradius 2.x/ redhat 6.6...
If it's a perl or python script the perl and python modules should be compatible between v3.0.x and v2.2.x.
If it's a C module, then yes, the API has changed considerably.
Do you think it might be a version 2.x bug?
No. Almost certainly not. I guess it might be an interaction with selinux. You should probably check the audit logs.
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I first try downloaded centOS 7 with Freeradius 3.x, but there is a limitation with one of my client's components that need Freeradius 2.x/ redhat 6.6...
It might be useful to know whether the components require FR 2.x specifically, or whether it's the OS that matters. If it's the latter, you can upgrade to FR 3.x on CentOS/RHEL 6.x: http://packages.networkradius.com/centos/6.5/ Alan D, this needs updating to 3.0.7, please?
Do you think it might be a version 2.x bug?
As Arran just pointed out, it's quite possible that SELinux won't let you execute this script. Run audit2allow and grep for radiusd to see if there is an access denied in there somewhere. Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
I would like to thank you both for the attention and the help you're giving I've tried to run audit2allow but I didn't had the package. I did the install and ran one test (using the service start). As spectated it didn't work (Filter-Id was empty), and then I run *audit2allow | grep radiusd* and I've got : #============= radiusd_t ============== allow radiusd_t user_tmp_t:file execute; To explain why I can't use the 3.x is that we're using package that receives the Freeradius call and do a REST API call to a distant server, and this package is only available for Freeradius 2.x at the moment... :( I've got good news: I try to disable SELinux and it works!!! :) 2015-04-16 14:59 GMT+02:00 Stefan Paetow <Stefan.Paetow@jisc.ac.uk>:
I first try downloaded centOS 7 with Freeradius 3.x, but there is a limitation with one of my client's components that need Freeradius 2.x/ redhat 6.6...
It might be useful to know whether the components require FR 2.x specifically, or whether it's the OS that matters. If it's the latter, you can upgrade to FR 3.x on CentOS/RHEL 6.x: http://packages.networkradius.com/centos/6.5/
Alan D, this needs updating to 3.0.7, please?
Do you think it might be a version 2.x bug?
As Arran just pointed out, it's quite possible that SELinux won't let you execute this script. Run audit2allow and grep for radiusd to see if there is an access denied in there somewhere.
Stefan Paetow Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi, #============= radiusd_t ============== allow radiusd_t user_tmp_t:file execute; To explain why I can't use the 3.x is that we're using package that receives the Freeradius call and do a REST API call to a distant server, and this package is only available for Freeradius 2.x at the moment... :( I've got good news: I try to disable SELinux and it works!!! err, well, yes....but what you should do is find out 1) why the SELinux is doing this - likely that the directories dont have the right selinux tags (check with eg ls -Z) , you can use restorecon etc OR as you know the requirements and it looks sane, then use the SELinux tools to ensure you have a live policy that means SELinux can be on alan
Hi!
To explain why I can't use the 3.x is that we're using package that receives the Freeradius call and do a REST API call to a distant server, and this package is only available for Freeradius 2.x at the moment... :(
Ahh I see.
I've got good news: I try to disable SELinux and it works!!!
Ok, then it's definitely a SELinux call.
#============= radiusd_t ============== allow radiusd_t user_tmp_t:file execute;
This you now turn into a SELinux policy: Run: audit2allow -a -M radiusd_shellexecute Then run: semodule -i radiusd_shellexecute.pp This should install the new policy into SELinux and give radiusd the rights to execute a shell and run your script. I would, for safety sake, run 'cat radiusd_shellexecute.te' before the 'semodule -i' call to see what the policy is that audit2allow generated. If unsure, paste the contents of the radiusd_shellexecute.te file here... we'll have a look. ;-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
On Thu, Apr 16, 2015 at 03:59:47PM +0200, mdii wrote:
To explain why I can't use the 3.x is that we're using package that receives the Freeradius call and do a REST API call to a distant server, and this package is only available for Freeradius 2.x at the moment... :(
There's a rlm_rest module for FR3 that allows you do to fairly random HTTP calls to remote servers if that helps. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 16 Apr 2015, at 16:32, Matthew Newton <mcn4@LEICESTER.AC.UK> wrote:
On Thu, Apr 16, 2015 at 03:59:47PM +0200, mdii wrote:
To explain why I can't use the 3.x is that we're using package that receives the Freeradius call and do a REST API call to a distant server, and this package is only available for Freeradius 2.x at the moment... :(
There's a rlm_rest module for FR3 that allows you do to fairly random HTTP calls to remote servers if that helps.
As of 3.0.7 you can now create your own arbitrary body content, and set your own arbitrary content-type. It'll even stick the response in an attribute for you, which you can parse using regexes. There's some examples of using some of the more interesting features here: http://wiki.freeradius.org/guide/twitter If you have any questions not covered by the inline documentation, we can provide helpful hints. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
I did as you told and it all works now even with the SELinux enabled. I will try to search for some information concerning how it works (I'm not really an expert) and see if I can advance a little more. In any case thanks for the help, I would still be searching if it wasn't for you... Have a great week-end :) Marc 2015-04-16 17:45 GMT+02:00 Arran Cudbard-Bell <a.cudbardb@freeradius.org>:
On 16 Apr 2015, at 16:32, Matthew Newton <mcn4@LEICESTER.AC.UK> wrote:
On Thu, Apr 16, 2015 at 03:59:47PM +0200, mdii wrote:
To explain why I can't use the 3.x is that we're using package that receives the Freeradius call and do a REST API call to a distant server, and this package is only available for Freeradius 2.x at the moment... :(
There's a rlm_rest module for FR3 that allows you do to fairly random HTTP calls to remote servers if that helps.
As of 3.0.7 you can now create your own arbitrary body content, and set your own arbitrary content-type.
It'll even stick the response in an attribute for you, which you can parse using regexes.
There's some examples of using some of the more interesting features here:
http://wiki.freeradius.org/guide/twitter
If you have any questions not covered by the inline documentation, we can provide helpful hints.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello, I'm using 3.0.x with linelog module, with a filename set up as follows: filename=${logdir}/RadiusTrace-%{Client-Shortname}-%Y%m%d%H.log In clients.conf I have some clients which contain "-" characters. When the linelog creates the output file, the "-" are doubled (resulting in "--" in the file name). (This is done in function rad_filename_escape from main\util.c) Is there a way to prevent this ? This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
On 16 Apr 2015, at 18:24, Chaigneau, Nicolas <nicolas.chaigneau@capgemini.com> wrote:
Hello,
I'm using 3.0.x with linelog module, with a filename set up as follows:
filename=${logdir}/RadiusTrace-%{Client-Shortname}-%Y%m%d%H.log
In clients.conf I have some clients which contain "-" characters. When the linelog creates the output file, the "-" are doubled (resulting in "--" in the file name).
(This is done in function rad_filename_escape from main\util.c)
Is there a way to prevent this ?
The escape function produces POSIX fully portable filenames, whilst allowing recovery of the input text. It should be possible to modify the escape functions so that hyphen doesn't have another hyphen to escape it, unless the hyphen in the src string was before a disallowed character. Thinking about it, that's probably a good idea. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
I'm using 3.0.x with linelog module, with a filename set up as follows:
filename=${logdir}/RadiusTrace-%{Client-Shortname}-%Y%m%d%H.log
In clients.conf I have some clients which contain "-" characters. When the linelog creates the output file, the "-" are doubled (resulting in "--" in the file name).
(This is done in function rad_filename_escape from main\util.c)
Is there a way to prevent this ?
The escape function produces POSIX fully portable filenames, whilst allowing recovery of the input text.
It should be possible to modify the escape functions so that hyphen doesn't have another hyphen to escape it, unless the hyphen in the src string was before a disallowed character.
Thinking about it, that's probably a good idea.
Can this be considered a bug so it can be done in 3.0.x ? :) Alternatively, rlm_detail provides a parameter (escape_filenames) that allows to disable the escaping. Maybe this could be a good idea to do this also for rlm_linelog. This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
Hi,
dont have hyphens in your device shortnames? :/
Well... I can't really tell my client that they can't have hyphens in their file names anymore :) This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
On 17 Apr 2015, at 08:00, Chaigneau, Nicolas <nicolas.chaigneau@capgemini.com> wrote:
I'm using 3.0.x with linelog module, with a filename set up as follows:
filename=${logdir}/RadiusTrace-%{Client-Shortname}-%Y%m%d%H.log
In clients.conf I have some clients which contain "-" characters. When the linelog creates the output file, the "-" are doubled (resulting in "--" in the file name).
(This is done in function rad_filename_escape from main\util.c)
Is there a way to prevent this ?
The escape function produces POSIX fully portable filenames, whilst allowing recovery of the input text.
It should be possible to modify the escape functions so that hyphen doesn't have another hyphen to escape it, unless the hyphen in the src string was before a disallowed character.
Thinking about it, that's probably a good idea.
Can this be considered a bug so it can be done in 3.0.x ? :)
Alternatively, rlm_detail provides a parameter (escape_filenames) that allows to disable the escaping.
Maybe this could be a good idea to do this also for rlm_linelog.
Yeah, that's a better idea. The escape function needs to prevent collisions from occurring, so hyphens need to be escaped. I've added the same config_item as rlm_detail, which defaults to off. The behaviour should be almost the same as 3.0.7, except now it'll prevent upwards directory traversal and do something sensible with control chars. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Apr 17, 2015, at 3:00 AM, Chaigneau, Nicolas <nicolas.chaigneau@capgemini.com> wrote:
Can this be considered a bug so it can be done in 3.0.x ? :)
We'll look at it.
Alternatively, rlm_detail provides a parameter (escape_filenames) that allows to disable the escaping.
The dynamic expansions depend on user input. That input has to be sanitized before it's used in a filename.
Maybe this could be a good idea to do this also for rlm_linelog.
Fixing the escaping function would fix this in both places. Alan DeKok.
participants (9)
-
A.L.M.Buxey@lboro.ac.uk -
Alan Buxey -
Alan DeKok -
Arran Cudbard-Bell -
Arran Cudbard-Bell -
Chaigneau, Nicolas -
Matthew Newton -
mdii -
Stefan Paetow