Freeradius 3.0.21 with chroot enables fails to start from the Systemd unit file.
Hello all, I am trying to test chroot on a Raspberry Pi running the distro-provided Freeradius 3.0.21 on the 32bit Raspberry Pi OS (Debian) 11. According to the instructions from networkradius.com and freeradius -X error messages, I created the chroot folder hierarchy and the required files as shown below: The character devices null, zero, random and urandom were created under /var/freeradius/chroot/dev. /var/freeradius/chroot/etc/ssl/certs /var/freeradius/chroot/etc/ssl/certs/private /var/freeradius/chroot/etc/passwd /var/freeradius/chroot/var/run The following folders and files are bind mounted in the chroot: /var/freeradius/chroot/usr/lib/freeradius/ /var/freeradius/chroot/usr/lib/arm-linux-gnueabihf/ /var/freeradius/chroot/etc/freeradius/3.0/certs/ /var/freeradius/chroot/etc/freeradius/3.0/mods-config/ /var/freeradius/chroot/etc/nsswitch.conf /var/freeradius/chroot/etc/resolv.conf /var/freeradius/chroot/var/log/freeradius/ The ownership and permission bits for all files and folders in the chroot folder are the same as their non-chrooted counterparts. Finally, I enabled chroot in radiusd.conf. Running freeradius -X, the debug output seems to be *exactly* the same as running freeradius -X with chroot disabled (well, only the line chroot = "/var/freeradius/chroot" was added in the security {} block output). While running the chrooted Freeradius as freeradius -X, Freeradius performs client authentication with EAP-PEAP and EAP-(T)TLS, proxing, etc normally. If -P is provided (freeradius -XP), the PID file is created in the /var/freeradius/chroot/var/run/ as expected. The output of freeradius -X with chroot enabled is given below: ---------------freeradius -X output------------------------ FreeRADIUS Version 3.0.21 Copyright (C) 1999-2019 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/3.0/dictionary including configuration file /etc/freeradius/3.0/radiusd.conf including configuration file /etc/freeradius/3.0/proxy.conf including configuration file /etc/freeradius/3.0/clients.conf including files in directory /etc/freeradius/3.0/mods-enabled/ including configuration file /etc/freeradius/3.0/mods-enabled/detail including configuration file /etc/freeradius/3.0/mods-enabled/realm including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter including configuration file /etc/freeradius/3.0/mods-enabled/always including configuration file /etc/freeradius/3.0/mods-enabled/replicate including configuration file /etc/freeradius/3.0/mods-enabled/expiration including configuration file /etc/freeradius/3.0/mods-enabled/files including configuration file /etc/freeradius/3.0/mods-enabled/digest including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth including configuration file /etc/freeradius/3.0/mods-enabled/pap including configuration file /etc/freeradius/3.0/mods-enabled/exec including configuration file /etc/freeradius/3.0/mods-enabled/logintime including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients including configuration file /etc/freeradius/3.0/mods-enabled/preprocess including configuration file /etc/freeradius/3.0/mods-enabled/expr including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap including configuration file /etc/freeradius/3.0/mods-enabled/echo including configuration file /etc/freeradius/3.0/mods-enabled/passwd including configuration file /etc/freeradius/3.0/mods-enabled/utf8 including configuration file /etc/freeradius/3.0/mods-enabled/eap including configuration file /etc/freeradius/3.0/mods-enabled/soh including configuration file /etc/freeradius/3.0/mods-enabled/chap including configuration file /etc/freeradius/3.0/mods-enabled/radutmp including configuration file /etc/freeradius/3.0/mods-enabled/detail.log including configuration file /etc/freeradius/3.0/mods-enabled/linelog including configuration file /etc/freeradius/3.0/mods-enabled/mschap including configuration file /etc/freeradius/3.0/mods-enabled/unix including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp including configuration file /etc/freeradius/3.0/mods-enabled/unpack including files in directory /etc/freeradius/3.0/policy.d/ including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids including configuration file /etc/freeradius/3.0/policy.d/rfc7542 including configuration file /etc/freeradius/3.0/policy.d/canonicalization including configuration file /etc/freeradius/3.0/policy.d/accounting including configuration file /etc/freeradius/3.0/policy.d/cui including configuration file /etc/freeradius/3.0/policy.d/dhcp including configuration file /etc/freeradius/3.0/policy.d/abfab-tr including configuration file /etc/freeradius/3.0/policy.d/operator-name including configuration file /etc/freeradius/3.0/policy.d/eap including configuration file /etc/freeradius/3.0/policy.d/control including configuration file /etc/freeradius/3.0/policy.d/debug including configuration file /etc/freeradius/3.0/policy.d/filter including files in directory /etc/freeradius/3.0/sites-enabled/ including configuration file /etc/freeradius/3.0/sites-enabled/default including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel main { security { user = "freerad" group = "freerad" chroot = "/var/freeradius/chroot" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server home_server1 { ipaddr = 192.168.1.10 port = 0 type = "auth+acct" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } home_server_pool test_local_pool { type = fail-over home_server = home_server1 } realm MY_REALM { pool = test_local_pool nostrip } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 192.168.1.11 { ipaddr = 192.168.1.11 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached systemd watchdog is disabled # Creating Auth-Type = eap # Creating Auth-Type = mschap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP radiusd: #### Instantiating modules #### modules { # Loaded module rlm_detail # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm realm bangpath { format = "prefix" delimiter = "!" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_always # Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate # Loaded module rlm_expiration # Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration # Loaded module rlm_files # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files files { filename = "/etc/freeradius/3.0/mods-config/files/authorize" acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting" preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy" } # Loaded module rlm_digest # Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest # Loaded module rlm_exec # Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_pap # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap pap { normalise = yes } # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/3.0/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_expr # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8 # Loaded module rlm_eap # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_soh # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_chap # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap # Loaded module rlm_radutmp # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_linelog # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog linelog { filename = "/var/log/freeradius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog linelog log_accounting { filename = "/var/log/freeradius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_mschap # Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loaded module rlm_unix # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Creating attribute Unix-Group # Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/freeradius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_unpack # Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack instantiate { } # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration # Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy # Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap # Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints # Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius/3.0/certs" pem_file_type = yes private_key_file = "/etc/ssl/private/freeradius.key" certificate_file = "/etc/ssl/certs/freeradius.crt" ca_file = "/usr/local/share/ca-certificates/ca-certificates-freeradius.crt" private_key_password = <<< secret >>> dh_file = "/etc/freeradius/3.0/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" tls_max_version = "1.2" tls_min_version = "1.2" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap rlm_mschap (mschap): using internal authentication } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/3.0/radiusd.conf } # server server default { # from file /etc/freeradius/3.0/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} Ignoring "sql" (see raddb/mods-available/README.rst) # Loading post-proxy {...} # Loading post-auth {...} } # server default server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:335 } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipv4addr = 192.168.1.20 port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv4addr = 192.168.1.20 port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address 192.168.1.20 port 1812 bound to server default Listening on acct address 192.168.1.20 port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 44958 Listening on proxy address :: port 32891 Ready to process requests ---------------End of freeradius -X output----------------- If I try to start the chrooted Freeradius from the provided Systemd startup script, it fails and journalctl -xe returns the following: ---------------journalctl -xe output -------------------------- Support: https://www.debian.org/support The unit freeradius.service completed and consumed the indicated resources. Apr 16 14:14:36 raspberry systemd[1]: Starting FreeRADIUS multi-protocol policy server... Subject: A start job for unit freeradius.service has begun execution Defined-By: systemd Support: https://www.debian.org/support A start job for unit freeradius.service has begun execution. The job identifier is 2157. Apr 16 14:14:37 raspberry freeradius[2624]: FreeRADIUS Version 3.0.21 Apr 16 14:14:37 raspberry freeradius[2624]: Copyright (C) 1999-2019 The FreeRADIUS server project and contributors Apr 16 14:14:37 raspberry freeradius[2624]: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Apr 16 14:14:37 raspberry freeradius[2624]: PARTICULAR PURPOSE Apr 16 14:14:37 raspberry freeradius[2624]: You may redistribute copies of FreeRADIUS under the terms of the Apr 16 14:14:37 raspberry freeradius[2624]: GNU General Public License Apr 16 14:14:37 raspberry freeradius[2624]: For more information about these matters, see the file named COPYRIGHT Apr 16 14:14:37 raspberry freeradius[2624]: Starting - reading configuration files ... Apr 16 14:14:37 raspberry freeradius[2624]: Debug state unknown (cap_sys_ptrace capability not set) Apr 16 14:14:37 raspberry freeradius[2624]: Creating attribute Unix-Group Apr 16 14:14:37 raspberry freeradius[2624]: rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked Apr 16 14:14:37 raspberry freeradius[2624]: tls: Using cached TLS configuration from previous invocation Apr 16 14:14:37 raspberry freeradius[2624]: tls: Using cached TLS configuration from previous invocation Apr 16 14:14:37 raspberry freeradius[2624]: rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output Apr 16 14:14:37 raspberry freeradius[2624]: rlm_mschap (mschap): using internal authentication Apr 16 14:14:37 raspberry freeradius[2624]: Ignoring "sql" (see raddb/mods-available/README.rst) Apr 16 14:14:37 raspberry freeradius[2624]: # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:335 Apr 16 14:14:37 raspberry freeradius[2624]: radiusd: #### Skipping IP addresses and Ports #### Apr 16 14:14:37 raspberry freeradius[2624]: Configuration appears to be OK Apr 16 14:14:37 raspberry systemd[1]: freeradius.service: Main process exited, code=exited, status=1/FAILURE Subject: Unit process exited Defined-By: systemd Support: https://www.debian.org/support An ExecStart= process belonging to unit freeradius.service has exited. The process' exit code is 'exited' and its exit status is 1. Apr 16 14:14:37 raspberry systemd[1]: freeradius.service: Failed with result 'exit-code'. Subject: Unit failed Defined-By: systemd Support: https://www.debian.org/support The unit freeradius.service has entered the 'failed' state with result 'exit-code'. Apr 16 14:14:37 raspberry systemd[1]: Failed to start FreeRADIUS multi-protocol policy server. Subject: A start job for unit freeradius.service has failed Defined-By: systemd Support: https://www.debian.org/support A start job for unit freeradius.service has finished with a failure. The job identifier is 2157 and the job result is failed. Apr 16 14:14:37 raspberry systemd[1]: freeradius.service: Consumed 1.338s CPU time. Subject: Resources consumed by unit runtime Defined-By: systemd Support: https://www.debian.org/support The unit freeradius.service completed and consumed the indicated resources. ---------------End of journalctl -xe output-------------------- Although I am not a Systemd or a Freeradius guru, I made a simple investigation with the following results: 1) The provided systemd script contains the following lines: ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cx -lstdout ExecStart=/usr/sbin/freeradius -f $FREERADIUS_OPTIONS The variable $FREERADIUS_OPTIONS populated in /etc/default/freeradius is set to an empty string ("") - the provided default value. 2) The command in ExecStartPre (/usr/sbin/freeradius -Cx -lstdout) always returns with the message "Configuration appears to be OK". 3) If I run freeradius -f -lstdout (as shown above in ExecStart) from the command line, I am getting the following output depending on the user I am logged in: a) As 'root' *regardless if chroot is enabled or not* or as 'freerad' (the Freeradius user in Debian) *with chroot disabled*, the output is: ----------freeradius -f -lstdout output--------------------- root@raspberry:~# freeradius -f -lstdout Sat Apr 16 14:23:07 2022 : Info: Starting - reading configuration files ... Sat Apr 16 14:23:07 2022 : Info: Debugger not attached Sat Apr 16 14:23:07 2022 : Info: systemd watchdog is disabled Sat Apr 16 14:23:07 2022 : Info: Loaded virtual server <default> Sat Apr 16 14:23:07 2022 : Warning: Ignoring "sql" (see raddb/mods-available/README.rst) Sat Apr 16 14:23:07 2022 : Info: Loaded virtual server default Sat Apr 16 14:23:07 2022 : Info: # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:335 Sat Apr 16 14:23:07 2022 : Info: Loaded virtual server inner-tunnel Sat Apr 16 14:23:07 2022 : Info: Ready to process requests ----------End of freeradius -f -lstdout output-------------- b) As 'freerad' *with chroot enabled*, freeradius -f -lstdout returns immediately without reporting or logging any error(s): ----------freeradius -f -lstdout output--------------------- freerad@raspberry:$ freeradius -f -lstdout Sat Apr 16 14:24:50 2022 : Info: Starting - reading configuration files ... freerad@raspberry:$ ----------End of freeradius -f -lstdout output-------------- Is this a permission problem or am I doing something wrong? Thank you in advance, Antonios
On Apr 18, 2022, at 6:53 AM, Antonios Kalkakos <akalkakos@hotmail.com> wrote:
I am trying to test chroot on a Raspberry Pi running the distro-provided Freeradius 3.0.21 on the 32bit Raspberry Pi OS (Debian) 11.
Chroot should work by itself. I doubt that it will work with systemd, though. ...
Apr 16 14:14:37 raspberry systemd[1]: freeradius.service: Main process exited, code=exited, status=1/FAILURE
Hmm... "FAILURE". Maybe there's an additional error message buried somewhere inside of the systemd logs?
Although I am not a Systemd or a Freeradius guru, I made a simple investigation with the following results:
That's all a very good approach.
b) As 'freerad' *with chroot enabled*, freeradius -f -lstdout returns immediately without reporting or logging any error(s):
----------freeradius -f -lstdout output--------------------- freerad@raspberry:$ freeradius -f -lstdout Sat Apr 16 14:24:50 2022 : Info: Starting - reading configuration files ... freerad@raspberry:$ ----------End of freeradius -f -lstdout output--------------
If you do "echo $?" immediately after that, you'll see if the server exited with an error. I'd say try 3.0.25, maybe it produces better error messages.
Is this a permission problem or am I doing something wrong?
chroot should work, but I can't recall trying it in the last few years. I doubt very much that chroot will work with systemd. Systemd is just too weird, and has many additional requirements over a normal chroot process. Alan DeKok.
On 18/04/2022 16:24, Alan DeKok wrote:
On Apr 18, 2022, at 6:53 AM, Antonios Kalkakos <akalkakos@hotmail.com> wrote:
I am trying to test chroot on a Raspberry Pi running the distro-provided Freeradius 3.0.21 on the 32bit Raspberry Pi OS (Debian) 11.
Chroot should work by itself. I doubt that it will work with systemd, though.
...
Apr 16 14:14:37 raspberry systemd[1]: freeradius.service: Main process exited, code=exited, status=1/FAILURE
Hmm... "FAILURE". Maybe there's an additional error message buried somewhere inside of the systemd logs? Nothing is logged in /var/log/freeradius; logs in /var/log/syslog don't give any detail:
-------------------syslog---------------------------------- Apr 18 17:00:53 raspberry systemd[1]: Starting FreeRADIUS multi-protocol policy server... Apr 18 17:00:54 raspberry freeradius[6975]: FreeRADIUS Version 3.0.21 Apr 18 17:00:54 raspberry freeradius[6975]: Copyright (C) 1999-2019 The FreeRADIUS server project and contributors Apr 18 17:00:54 raspberry freeradius[6975]: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Apr 18 17:00:54 raspberry freeradius[6975]: PARTICULAR PURPOSE Apr 18 17:00:54 raspberry freeradius[6975]: You may redistribute copies of FreeRADIUS under the terms of the Apr 18 17:00:54 raspberry freeradius[6975]: GNU General Public License Apr 18 17:00:54 raspberry freeradius[6975]: For more information about these matters, see the file named COPYRIGHT Apr 18 17:00:54 raspberry freeradius[6975]: Starting - reading configuration files ... Apr 18 17:00:54 raspberry freeradius[6975]: Debug state unknown (cap_sys_ptrace capability not set) Apr 18 17:00:54 raspberry freeradius[6975]: Creating attribute Unix-Group Apr 18 17:00:54 raspberry freeradius[6975]: rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked Apr 18 17:00:54 raspberry freeradius[6975]: tls: Using cached TLS configuration from previous invocation Apr 18 17:00:54 raspberry freeradius[6975]: tls: Using cached TLS configuration from previous invocation Apr 18 17:00:54 raspberry freeradius[6975]: rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output Apr 18 17:00:54 raspberry freeradius[6975]: rlm_mschap (mschap): using internal authentication Apr 18 17:00:54 raspberry freeradius[6975]: Ignoring "sql" (see raddb/mods-available/README.rst) Apr 18 17:00:54 raspberry freeradius[6975]: # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:340 Apr 18 17:00:54 raspberry freeradius[6975]: radiusd: #### Skipping IP addresses and Ports #### Apr 18 17:00:54 raspberry freeradius[6975]: Configuration appears to be OK Apr 18 17:00:55 raspberry systemd[1]: freeradius.service: Main process exited, code=exited, status=1/FAILURE Apr 18 17:00:55 raspberry systemd[1]: freeradius.service: Failed with result 'exit-code'. Apr 18 17:00:55 raspberry systemd[1]: Failed to start FreeRADIUS multi-protocol policy server. Apr 18 17:00:55 raspberry systemd[1]: freeradius.service: Consumed 1.323s CPU time. -------------------end of syslog----------------------------------
Although I am not a Systemd or a Freeradius guru, I made a simple investigation with the following results:
That's all a very good approach.
b) As 'freerad' *with chroot enabled*, freeradius -f -lstdout returns immediately without reporting or logging any error(s):
----------freeradius -f -lstdout output--------------------- freerad@raspberry:$ freeradius -f -lstdout Sat Apr 16 14:24:50 2022 : Info: Starting - reading configuration files ... freerad@raspberry:$ ----------End of freeradius -f -lstdout output--------------
If you do "echo $?" immediately after that, you'll see if the server exited with an error.
Yes, it just returns 1.
I'd say try 3.0.25, maybe it produces better error messages.
Will give a try on a testing machine on my spare time. It's a (sometimes unfortunate) requirement for me to work with the distro - provided packages.
Is this a permission problem or am I doing something wrong?
chroot should work, but I can't recall trying it in the last few years.
I doubt very much that chroot will work with systemd. Systemd is just too weird, and has many additional requirements over a normal chroot process. I totally agree with you! systemd sometimes makes simple things complicated.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Antonios
Its chroot'd, so unless you are pointing /var/log/freeradius to the correct louvain, check contents of /var/freeradius/chroot/var/log/freeradius alan On Mon, 18 Apr 2022, 17:08 Antonios Kalkakos, <akalkakos@hotmail.com> wrote:
On 18/04/2022 16:24, Alan DeKok wrote:
On Apr 18, 2022, at 6:53 AM, Antonios Kalkakos <akalkakos@hotmail.com> wrote:
I am trying to test chroot on a Raspberry Pi running the distro-provided Freeradius 3.0.21 on the 32bit Raspberry Pi OS (Debian) 11.
Chroot should work by itself. I doubt that it will work with systemd, though.
...
Apr 16 14:14:37 raspberry systemd[1]: freeradius.service: Main process exited, code=exited, status=1/FAILURE
Hmm... "FAILURE". Maybe there's an additional error message buried somewhere inside of the systemd logs? Nothing is logged in /var/log/freeradius; logs in /var/log/syslog don't give any detail:
-------------------syslog---------------------------------- Apr 18 17:00:53 raspberry systemd[1]: Starting FreeRADIUS multi-protocol policy server... Apr 18 17:00:54 raspberry freeradius[6975]: FreeRADIUS Version 3.0.21 Apr 18 17:00:54 raspberry freeradius[6975]: Copyright (C) 1999-2019 The FreeRADIUS server project and contributors Apr 18 17:00:54 raspberry freeradius[6975]: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Apr 18 17:00:54 raspberry freeradius[6975]: PARTICULAR PURPOSE Apr 18 17:00:54 raspberry freeradius[6975]: You may redistribute copies of FreeRADIUS under the terms of the Apr 18 17:00:54 raspberry freeradius[6975]: GNU General Public License Apr 18 17:00:54 raspberry freeradius[6975]: For more information about these matters, see the file named COPYRIGHT Apr 18 17:00:54 raspberry freeradius[6975]: Starting - reading configuration files ... Apr 18 17:00:54 raspberry freeradius[6975]: Debug state unknown (cap_sys_ptrace capability not set) Apr 18 17:00:54 raspberry freeradius[6975]: Creating attribute Unix-Group Apr 18 17:00:54 raspberry freeradius[6975]: rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked Apr 18 17:00:54 raspberry freeradius[6975]: tls: Using cached TLS configuration from previous invocation Apr 18 17:00:54 raspberry freeradius[6975]: tls: Using cached TLS configuration from previous invocation Apr 18 17:00:54 raspberry freeradius[6975]: rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output Apr 18 17:00:54 raspberry freeradius[6975]: rlm_mschap (mschap): using internal authentication Apr 18 17:00:54 raspberry freeradius[6975]: Ignoring "sql" (see raddb/mods-available/README.rst) Apr 18 17:00:54 raspberry freeradius[6975]: # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:340 Apr 18 17:00:54 raspberry freeradius[6975]: radiusd: #### Skipping IP addresses and Ports #### Apr 18 17:00:54 raspberry freeradius[6975]: Configuration appears to be OK Apr 18 17:00:55 raspberry systemd[1]: freeradius.service: Main process exited, code=exited, status=1/FAILURE Apr 18 17:00:55 raspberry systemd[1]: freeradius.service: Failed with result 'exit-code'. Apr 18 17:00:55 raspberry systemd[1]: Failed to start FreeRADIUS multi-protocol policy server. Apr 18 17:00:55 raspberry systemd[1]: freeradius.service: Consumed 1.323s CPU time. -------------------end of syslog----------------------------------
Although I am not a Systemd or a Freeradius guru, I made a simple
investigation with the following results:
That's all a very good approach.
b) As 'freerad' *with chroot enabled*, freeradius -f -lstdout returns
immediately without reporting or logging any error(s):
----------freeradius -f -lstdout output--------------------- freerad@raspberry:$ freeradius -f -lstdout Sat Apr 16 14:24:50 2022 : Info: Starting - reading configuration files
...
freerad@raspberry:$ ----------End of freeradius -f -lstdout output--------------
If you do "echo $?" immediately after that, you'll see if the server exited with an error. Yes, it just returns 1.
I'd say try 3.0.25, maybe it produces better error messages.
Will give a try on a testing machine on my spare time. It's a (sometimes unfortunate) requirement for me to work with the distro - provided packages.
Is this a permission problem or am I doing something wrong?
chroot should work, but I can't recall trying it in the last few years.
I doubt very much that chroot will work with systemd. Systemd is just too weird, and has many additional requirements over a normal chroot process. I totally agree with you! systemd sometimes makes simple things complicated.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Antonios - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
When freeradius -f is executed from the command line as user 'freerad' the process dies without logging anything to /var/log/freeradius/radiusd.log (originally I had /var/log/freeradius bind mounted to /var/freeradius/chroot/var/log/freeradius but I changed that to separate the log files for my tests). So, if I run the chrooted freeradius -f from the command line as... 1) ...'freerad', the daemon dies without logging anything. 2) ...'root', Freeradius works as expected and "ps u -C freeradius" outputs "freerad 7758 6.1 9.2 175332 87020 ? Ssl 17:08 0:01 /usr/sbin/freeradius -f". The systemd unit file contains the lines User=freerad and Group=freerad which, in the best of my knowledge, mean "run freeradius -f as user and group 'freerad'". If I remove the User and Group lines (they both default to 'root'), systemd complains that the process "Failed with result 'timeout'" and freeradius logs "Warning: Failed notifying systemd that process is READY: Unknown error -2" in /var/freeradius/chroot/var/log/freeradius/radiusd.log. However, the chrooted freeradius process is up and works as expected. Antonios On 19/04/2022 19:14, Alan Buxey wrote:
Its chroot'd, so unless you are pointing /var/log/freeradius to the correct louvain, check contents of /var/freeradius/chroot/var/log/freeradius
alan
On Mon, 18 Apr 2022, 17:08 Antonios Kalkakos, <akalkakos@hotmail.com> wrote:
On 18/04/2022 16:24, Alan DeKok wrote:
On Apr 18, 2022, at 6:53 AM, Antonios Kalkakos <akalkakos@hotmail.com> wrote:
I am trying to test chroot on a Raspberry Pi running the distro-provided Freeradius 3.0.21 on the 32bit Raspberry Pi OS (Debian) 11.
Chroot should work by itself. I doubt that it will work with systemd, though.
...
Apr 16 14:14:37 raspberry systemd[1]: freeradius.service: Main process exited, code=exited, status=1/FAILURE
Hmm... "FAILURE". Maybe there's an additional error message buried somewhere inside of the systemd logs? Nothing is logged in /var/log/freeradius; logs in /var/log/syslog don't give any detail:
-------------------syslog---------------------------------- Apr 18 17:00:53 raspberry systemd[1]: Starting FreeRADIUS multi-protocol policy server... Apr 18 17:00:54 raspberry freeradius[6975]: FreeRADIUS Version 3.0.21 Apr 18 17:00:54 raspberry freeradius[6975]: Copyright (C) 1999-2019 The FreeRADIUS server project and contributors Apr 18 17:00:54 raspberry freeradius[6975]: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Apr 18 17:00:54 raspberry freeradius[6975]: PARTICULAR PURPOSE Apr 18 17:00:54 raspberry freeradius[6975]: You may redistribute copies of FreeRADIUS under the terms of the Apr 18 17:00:54 raspberry freeradius[6975]: GNU General Public License Apr 18 17:00:54 raspberry freeradius[6975]: For more information about these matters, see the file named COPYRIGHT Apr 18 17:00:54 raspberry freeradius[6975]: Starting - reading configuration files ... Apr 18 17:00:54 raspberry freeradius[6975]: Debug state unknown (cap_sys_ptrace capability not set) Apr 18 17:00:54 raspberry freeradius[6975]: Creating attribute Unix-Group Apr 18 17:00:54 raspberry freeradius[6975]: rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked Apr 18 17:00:54 raspberry freeradius[6975]: tls: Using cached TLS configuration from previous invocation Apr 18 17:00:54 raspberry freeradius[6975]: tls: Using cached TLS configuration from previous invocation Apr 18 17:00:54 raspberry freeradius[6975]: rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output Apr 18 17:00:54 raspberry freeradius[6975]: rlm_mschap (mschap): using internal authentication Apr 18 17:00:54 raspberry freeradius[6975]: Ignoring "sql" (see raddb/mods-available/README.rst) Apr 18 17:00:54 raspberry freeradius[6975]: # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:340 Apr 18 17:00:54 raspberry freeradius[6975]: radiusd: #### Skipping IP addresses and Ports #### Apr 18 17:00:54 raspberry freeradius[6975]: Configuration appears to be OK Apr 18 17:00:55 raspberry systemd[1]: freeradius.service: Main process exited, code=exited, status=1/FAILURE Apr 18 17:00:55 raspberry systemd[1]: freeradius.service: Failed with result 'exit-code'. Apr 18 17:00:55 raspberry systemd[1]: Failed to start FreeRADIUS multi-protocol policy server. Apr 18 17:00:55 raspberry systemd[1]: freeradius.service: Consumed 1.323s CPU time. -------------------end of syslog----------------------------------
Although I am not a Systemd or a Freeradius guru, I made a simple
investigation with the following results:
That's all a very good approach.
b) As 'freerad' *with chroot enabled*, freeradius -f -lstdout returns
immediately without reporting or logging any error(s):
----------freeradius -f -lstdout output--------------------- freerad@raspberry:$ freeradius -f -lstdout Sat Apr 16 14:24:50 2022 : Info: Starting - reading configuration files
...
freerad@raspberry:$ ----------End of freeradius -f -lstdout output--------------
If you do "echo $?" immediately after that, you'll see if the server exited with an error. Yes, it just returns 1.
I'd say try 3.0.25, maybe it produces better error messages.
Will give a try on a testing machine on my spare time. It's a (sometimes unfortunate) requirement for me to work with the distro - provided packages.
Is this a permission problem or am I doing something wrong?
chroot should work, but I can't recall trying it in the last few years.
I doubt very much that chroot will work with systemd. Systemd is just too weird, and has many additional requirements over a normal chroot process. I totally agree with you! systemd sometimes makes simple things complicated.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Antonios - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 20, 2022, at 2:30 PM, Antonios Kalkakos <akalkakos@hotmail.com> wrote:
When freeradius -f is executed from the command line as user 'freerad' the process dies without logging anything to /var/log/freeradius/radiusd.log (originally I had /var/log/freeradius bind mounted to /var/freeradius/chroot/var/log/freeradius but I changed that to separate the log files for my tests).
So, if I run the chrooted freeradius -f from the command line as... 1) ...'freerad', the daemon dies without logging anything.
Then your local configuration is somehow wrong. The server tries really hard to log everything. But there may be rare / unusual code paths where it doesn't. Especially when using a version which is a few years old. But also, the server can't use the "chroot" system call when it's a normal user. chroot() is allowed only for the "root" user. And when I try to configure chroot as a normal user, the server dies with an error: Failed to perform chroot /path/to/chroot: EPERM: Operation not permitted
2) ...'root', Freeradius works as expected and "ps u -C freeradius" outputs "freerad 7758 6.1 9.2 175332 87020 ? Ssl 17:08 0:01 /usr/sbin/freeradius -f".
As expected.
The systemd unit file contains the lines User=freerad and Group=freerad which, in the best of my knowledge, mean "run freeradius -f as user and group 'freerad'".
Which then means that chroot won't work.
If I remove the User and Group lines (they both default to 'root'), systemd complains that the process "Failed with result 'timeout'" and freeradius logs "Warning: Failed notifying systemd that process is READY: Unknown error -2" in /var/freeradius/chroot/var/log/freeradius/radiusd.log. However, the chrooted freeradius process is up and works as expected.
Likely because systemd doesn't interact well with chroot'd programs. As I already said. so: a) chroot works when run normally (as root, not as another user) b) who knows about systemd We're not the authors of systemd, and can't really help with that. Either run the server under chroot normally (without systemd) or run it under systemd (without chroot) Alan DeKok.
Totally agree with you. Thanks for your clarifications and support Alan! Antonios On 20/04/2022 21:54, Alan DeKok wrote:
On Apr 20, 2022, at 2:30 PM, Antonios Kalkakos <akalkakos@hotmail.com> wrote:
When freeradius -f is executed from the command line as user 'freerad' the process dies without logging anything to /var/log/freeradius/radiusd.log (originally I had /var/log/freeradius bind mounted to /var/freeradius/chroot/var/log/freeradius but I changed that to separate the log files for my tests).
So, if I run the chrooted freeradius -f from the command line as... 1) ...'freerad', the daemon dies without logging anything.
Then your local configuration is somehow wrong. The server tries really hard to log everything. But there may be rare / unusual code paths where it doesn't.
Especially when using a version which is a few years old.
But also, the server can't use the "chroot" system call when it's a normal user. chroot() is allowed only for the "root" user.
And when I try to configure chroot as a normal user, the server dies with an error:
Failed to perform chroot /path/to/chroot: EPERM: Operation not permitted
2) ...'root', Freeradius works as expected and "ps u -C freeradius" outputs "freerad 7758 6.1 9.2 175332 87020 ? Ssl 17:08 0:01 /usr/sbin/freeradius -f".
As expected.
The systemd unit file contains the lines User=freerad and Group=freerad which, in the best of my knowledge, mean "run freeradius -f as user and group 'freerad'".
Which then means that chroot won't work.
If I remove the User and Group lines (they both default to 'root'), systemd complains that the process "Failed with result 'timeout'" and freeradius logs "Warning: Failed notifying systemd that process is READY: Unknown error -2" in /var/freeradius/chroot/var/log/freeradius/radiusd.log. However, the chrooted freeradius process is up and works as expected.
Likely because systemd doesn't interact well with chroot'd programs. As I already said.
so:
a) chroot works when run normally (as root, not as another user)
b) who knows about systemd
We're not the authors of systemd, and can't really help with that. Either run the server under chroot normally (without systemd) or run it under systemd (without chroot)
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 4/20/22 20:54, Alan DeKok wrote:
a) chroot works when run normally (as root, not as another user) b) who knows about systemd
Disclaimer: I do not consider myself to be a systemd or chroot() expert. But maybe worth reading: http://0pointer.de/blog/projects/changing-roots.html Eventually one might consider to use the systemd directives Private*= and Protect*= in the systemd service unit for enabling its sandboxing: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxin... Ciao, Michael.
participants (4)
-
Alan Buxey -
Alan DeKok -
Antonios Kalkakos -
Michael Ströder