Hello, I've attached output from a radius -X command in a text file to provide more information as to what's going on. I'm receiving the following error: # Instantiating module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" Unable to open file "/etc/raddb/mods-config/files/authorize": Permission denied } /etc/raddb/mods-enabled/files[9]: Invalid configuration for module "files" For /etc/raddb/mods-config/files/authorize I tried to make the permissions r-w-x for root and radius group and read for all other users... so 774 but I'm not having any luck getting radius to start. When I try to give full permission for testing (777), I get the same error. I also tried to change /etc/raddb/mods-available/files to 777 just to test and I receive the following: Configuration file /etc/raddb/mods-enabled/files is globally writable. Refusing to start due to insecure configuration. Errors reading or parsing /etc/raddb/radiusd.conf Makes sense since it's insecure. Hopefully there is enough information to pin point what's actually going on. Thanks, Jim This message is intended only for the addressee and may contain information that is company confidential or privileged. Any technical data in this message may be exported only in accordance with the U.S. International Traffic in Arms Regulations (22 CFR Parts 120-130) or the Export Administration Regulations (15 CFR Parts 730-774). Unauthorized use is strictly prohibited and may be unlawful. If you are not the intended recipient, or the person responsible for delivering to the intended recipient, you should not read, copy, disclose or otherwise use this message. If you have received this email in error, please delete it, and advise the sender immediately.
Hi Just ensure that all the files are readable by the user the Daemon runs as - radiusd? alan On 15 Nov 2017 5:16 pm, "Smith, James" <james.smith@saabsensis.com> wrote:
Hello, I've attached output from a radius -X command in a text file to provide more information as to what's going on.
I'm receiving the following error: # Instantiating module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" Unable to open file "/etc/raddb/mods-config/files/authorize": Permission denied } /etc/raddb/mods-enabled/files[9]: Invalid configuration for module "files"
For /etc/raddb/mods-config/files/authorize I tried to make the permissions r-w-x for root and radius group and read for all other users... so 774 but I'm not having any luck getting radius to start. When I try to give full permission for testing (777), I get the same error.
I also tried to change /etc/raddb/mods-available/files to 777 just to test and I receive the following:
Configuration file /etc/raddb/mods-enabled/files is globally writable. Refusing to start due to insecure configuration. Errors reading or parsing /etc/raddb/radiusd.conf
Makes sense since it's insecure.
Hopefully there is enough information to pin point what's actually going on.
Thanks, Jim
This message is intended only for the addressee and may contain information that is company confidential or privileged. Any technical data in this message may be exported only in accordance with the U.S. International Traffic in Arms Regulations (22 CFR Parts 120-130) or the Export Administration Regulations (15 CFR Parts 730-774). Unauthorized use is strictly prohibited and may be unlawful. If you are not the intended recipient, or the person responsible for delivering to the intended recipient, you should not read, copy, disclose or otherwise use this message. If you have received this email in error, please delete it, and advise the sender immediately.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Thanks Alan. I'm logged in as root and am starting radius as root. Root has read permissions to everything. /etc/raddb/mods-config/files -rwxrwxr-- 1 root radiusd 9656 Nov 15 16:03 authorize Jim -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+james.smith=saabsensis.com@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Wednesday, November 15, 2017 12:26 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Unable to start RADIUS (Permissions) Hi Just ensure that all the files are readable by the user the Daemon runs as - radiusd? alan On 15 Nov 2017 5:16 pm, "Smith, James" <james.smith@saabsensis.com> wrote:
Hello, I've attached output from a radius -X command in a text file to provide more information as to what's going on.
I'm receiving the following error: # Instantiating module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" Unable to open file "/etc/raddb/mods-config/files/authorize": Permission denied } /etc/raddb/mods-enabled/files[9]: Invalid configuration for module "files"
For /etc/raddb/mods-config/files/authorize I tried to make the permissions r-w-x for root and radius group and read for all other users... so 774 but I'm not having any luck getting radius to start. When I try to give full permission for testing (777), I get the same error.
I also tried to change /etc/raddb/mods-available/files to 777 just to test and I receive the following:
Configuration file /etc/raddb/mods-enabled/files is globally writable. Refusing to start due to insecure configuration. Errors reading or parsing /etc/raddb/radiusd.conf
Makes sense since it's insecure.
Hopefully there is enough information to pin point what's actually going on.
Thanks, Jim
This message is intended only for the addressee and may contain information that is company confidential or privileged. Any technical data in this message may be exported only in accordance with the U.S. International Traffic in Arms Regulations (22 CFR Parts 120-130) or the Export Administration Regulations (15 CFR Parts 730-774). Unauthorized use is strictly prohibited and may be unlawful. If you are not the intended recipient, or the person responsible for delivering to the intended recipient, you should not read, copy, disclose or otherwise use this message. If you have received this email in error, please delete it, and advise the sender immediately.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - This message is intended only for the addressee and may contain information that is company confidential or privileged. Any technical data in this message may be exported only in accordance with the U.S. International Traffic in Arms Regulations (22 CFR Parts 120-130) or the Export Administration Regulations (15 CFR Parts 730-774). Unauthorized use is strictly prohibited and may be unlawful. If you are not the intended recipient, or the person responsible for delivering to the intended recipient, you should not read, copy, disclose or otherwise use this message. If you have received this email in error, please delete it, and advise the sender immediately. -
On 15 Nov 2017, at 17:49, Smith, James <james.smith@saabsensis.com> wrote:
/etc/raddb/mods-config/files -rwxrwxr-- 1 root radiusd 9656 Nov 15 16:03 authorize
I'd be incredibly surprised if FreeRADIUS was at fault; it should be easy enough to confirm with strace -Ff though. Look for /etc/raddb/mods-config/files/config in the output, and verify that the call to open the file is issued correctly. As you're running a Red Hat derived system, my money would be on SELinux blocking access to the file. You can confirm this by installing policycoreutils-python, and running "audit2allow -a -w". Most likely cause would be that the file is mislabelled (ls -alZ will show you the labels). Regards, Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
On 16/11/2017, at 10:33 AM, Adam Bishop <Adam.Bishop@jisc.ac.uk> wrote:
On 15 Nov 2017, at 17:49, Smith, James <james.smith@saabsensis.com> wrote:
/etc/raddb/mods-config/files -rwxrwxr-- 1 root radiusd 9656 Nov 15 16:03 authorize
I'd be incredibly surprised if FreeRADIUS was at fault; it should be easy enough to confirm with strace -Ff though. Look for /etc/raddb/mods-config/files/config in the output, and verify that the call to open the file is issued correctly.
As you're running a Red Hat derived system, my money would be on SELinux blocking access to the file.
You can confirm this by installing policycoreutils-python, and running "audit2allow -a -w". Most likely cause would be that the file is mislabelled (ls -alZ will show you the labels).
Nope, not selinux. I note that the debug output has: <snip> main { security { user = "radiusd" group = "radiusd" allow_core_dumps = no } } </snip> switch_users appears to be called relatively early in the config parser, looks like right after that section of the config is parsed/printed in the debug, so check what permissions the radius user has for those files. -- Nathan Ward
Hi Alan, Thank you for the reply. You guys were all correct in that it was a OS problem. I found out that some permissions at a higher lever were changed and that looks to be what was causing the problem. There must have been files in a location other than /etc/raddb that had their permissions changed and it was preventing the radiusd user from accessing what it needed. Thanks for the insight and help. Jim -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+james.smith=saabsensis.com@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Wednesday, November 15, 2017 12:26 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Unable to start RADIUS (Permissions) Hi Just ensure that all the files are readable by the user the Daemon runs as - radiusd? alan On 15 Nov 2017 5:16 pm, "Smith, James" <james.smith@saabsensis.com> wrote:
Hello, I've attached output from a radius -X command in a text file to provide more information as to what's going on.
I'm receiving the following error: # Instantiating module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" Unable to open file "/etc/raddb/mods-config/files/authorize": Permission denied } /etc/raddb/mods-enabled/files[9]: Invalid configuration for module "files"
For /etc/raddb/mods-config/files/authorize I tried to make the permissions r-w-x for root and radius group and read for all other users... so 774 but I'm not having any luck getting radius to start. When I try to give full permission for testing (777), I get the same error.
I also tried to change /etc/raddb/mods-available/files to 777 just to test and I receive the following:
Configuration file /etc/raddb/mods-enabled/files is globally writable. Refusing to start due to insecure configuration. Errors reading or parsing /etc/raddb/radiusd.conf
Makes sense since it's insecure.
Hopefully there is enough information to pin point what's actually going on.
Thanks, Jim
This message is intended only for the addressee and may contain information that is company confidential or privileged. Any technical data in this message may be exported only in accordance with the U.S. International Traffic in Arms Regulations (22 CFR Parts 120-130) or the Export Administration Regulations (15 CFR Parts 730-774). Unauthorized use is strictly prohibited and may be unlawful. If you are not the intended recipient, or the person responsible for delivering to the intended recipient, you should not read, copy, disclose or otherwise use this message. If you have received this email in error, please delete it, and advise the sender immediately.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - This message is intended only for the addressee and may contain information that is company confidential or privileged. Any technical data in this message may be exported only in accordance with the U.S. International Traffic in Arms Regulations (22 CFR Parts 120-130) or the Export Administration Regulations (15 CFR Parts 730-774). Unauthorized use is strictly prohibited and may be unlawful. If you are not the intended recipient, or the person responsible for delivering to the intended recipient, you should not read, copy, disclose or otherwise use this message. If you have received this email in error, please delete it, and advise the sender immediately. -
On Nov 15, 2017, at 12:15 PM, Smith, James <james.smith@saabsensis.com> wrote:
I'm receiving the following error: # Instantiating module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" Unable to open file "/etc/raddb/mods-config/files/authorize": Permission denied } /etc/raddb/mods-enabled/files[9]: Invalid configuration for module "files"
For /etc/raddb/mods-config/files/authorize I tried to make the permissions r-w-x for root and radius group and read for all other users... so 774 but I'm not having any luck getting radius to start. When I try to give full permission for testing (777), I get the same error.
Then it's not a FreeRADIUS problem. If the OS says that FR doesn't have permission to read the files, then the permissions are wrong. No amount of poking FR will fix the OS.
Hopefully there is enough information to pin point what's actually going on.
What OS are you using? The default install of FreeRADIUS works on Linux (all variants), *BSD, OSX, etc. So I'm not sure what else is going wrong here. But it looks like something on your OS, and nothing to do with FreeRADIUS. Alan DeKok.
participants (5)
-
Adam Bishop -
Alan Buxey -
Alan DeKok -
Nathan Ward -
Smith, James