It is running on one of my production servers. So far no problems, but it has only run for q few hours. Sent from Verizon Wireless
Hi, okay....7k auths through so far and all fine so far.....for auths.. however, i have noticed a bug/change of bahviour which doesnt seem right. Fri Sep 2 17:15:04 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 Fri Sep 2 17:15:16 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 Fri Sep 2 17:15:29 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 GID 101 is munin. munin has been added to the radiusd group which is defined in the control virtual server - and this used to work all okay with 2.1.10 and 2.1.11 - so the change in code for root GID seems to have borked the access to radiusd.sock for other groups. alan
Alan Buxey wrote:
however, i have noticed a bug/change of bahviour which doesnt seem right.
Fri Sep 2 17:15:04 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 Fri Sep 2 17:15:16 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 Fri Sep 2 17:15:29 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101
GID 101 is munin.
OK.
munin has been added to the radiusd group which is defined in the control virtual server - and this used to work all okay with 2.1.10 and 2.1.11 - so the change in code for root GID seems to have borked the access to radiusd.sock for other groups.
I've committed a fix to the v2.1.x branch of git which should address this. Alan DeKok.
Hi,
munin has been added to the radiusd group which is defined in the control virtual server - and this used to work all okay with 2.1.10 and 2.1.11 - so the change in code for root GID seems to have borked the access to radiusd.sock for other groups.
I've committed a fix to the v2.1.x branch of git which should address this.
hmm, latest GIT version checked out and compiled...still seems to do the same: Mon Sep 5 13:39:33 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 radiusd: FreeRADIUS Version 2.1.12, for host i686-pc-linux-gnu, built on Sep 5 2011 at 13:32:28 alan
On 5 Sep 2011, at 14:42, Alan Buxey wrote:
Hi,
munin has been added to the radiusd group which is defined in the control virtual server - and this used to work all okay with 2.1.10 and 2.1.11 - so the change in code for root GID seems to have borked the access to radiusd.sock for other groups.
I've committed a fix to the v2.1.x branch of git which should address this.
hmm, latest GIT version checked out and compiled...still seems to do the same:
Checked the freeradius.org repo and the github repo and there's been no relevant commits... *poke* Alan D, git push... Arran Cudbard-Bell a.cudbardb@freeradius.org RADIUS - Half the complexity of Diameter
Hi,
hmm, latest GIT version checked out and compiled...still seems to do the same:
Checked the freeradius.org repo and the github repo and there's been no relevant commits...
*poke* Alan D, git push...
:-) must've gone to a private repo! :-) PS thanks to this thread I've tweaked some of my settings too - and i love that RANDOM idea..... i'm wondering if theres any mileage in doing the same thing for Session-Time auth replies? for when a drove of people fireup their laptops/phones etc at start of lecture hours or when labs get booted up at same time with WoL ? alan
On 5 Sep 2011, at 15:06, Alan Buxey wrote:
Hi,
hmm, latest GIT version checked out and compiled...still seems to do the same:
Checked the freeradius.org repo and the github repo and there's been no relevant commits...
*poke* Alan D, git push...
:-) must've gone to a private repo! :-)
... and now a public repo, if you'd care to pull and try again.
PS thanks to this thread I've tweaked some of my settings too - and i love that RANDOM idea..... i'm wondering if theres any mileage in doing the same thing for Session-Time auth replies? for when a drove of people fireup their laptops/phones etc at start of lecture hours or when labs get booted up at same time with WoL ?
WoL stuff certainly. Also when you get a Switch/AP reboot and a bunch of devices come online at the same time, so you don't hammer the server with a bunch of simultaneous re-auths. -Arran Arran Cudbard-Bell a.cudbardb@freeradius.org RADIUS - Half the complexity of Diameter
Hi,
:-) must've gone to a private repo! :-)
... and now a public repo, if you'd care to pull and try again.
hmm, command.c and auth.c appears to have been updated but still see no joy with 'radmin' as munin user (who is in radiusd group) Mon Sep 5 15:55:04 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 radiusd: FreeRADIUS Version 2.1.12, for host i686-pc-linux-gnu, built on Sep 5 2011 at 15:53:18 alan
hi, probably want to change this line in radmin.c too printf("Copyright (C) 2008 The FreeRADIUS server project and contributors.\n"); maybe change that string to a global that can be pulled in from an include? - this could then be used in other places where old copyright statements lurk.... alan
Alan Buxey wrote:
hmm, command.c and auth.c appears to have been updated but still see no joy with 'radmin' as munin user (who is in radiusd group)
Mon Sep 5 15:55:04 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101
My guess is that the "get peer id" function is returning only *one* group. Munin is first part of the "munin" group, but secondly part of the "radmin" group. So... the sockets asks "which group is connecting", and gets told "munin". I'm not sure there's a clean solution to that. Alan DeKok.
Hi,
My guess is that the "get peer id" function is returning only *one* group. Munin is first part of the "munin" group, but secondly part of the "radmin" group. So... the sockets asks "which group is connecting", and gets told "munin".
I'm not sure there's a clean solution to that.
hmm, it used to work - i guess the fix to fix the brokeness also broke this setup. alan
Alan Buxey wrote:
hmm, it used to work - i guess the fix to fix the brokeness also broke this setup.
I think the change is related to checking the peer ID on the new connection, rather than the old one. See commit f0e7064e58f712853c429dcb27e53861f1a9cde1 Alan DeKok.
Alan DeKok <aland@deployingradius.com> writes:
Alan Buxey wrote:
hmm, command.c and auth.c appears to have been updated but still see no joy with 'radmin' as munin user (who is in radiusd group)
Mon Sep 5 15:55:04 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101
My guess is that the "get peer id" function is returning only *one* group. Munin is first part of the "munin" group, but secondly part of the "radmin" group. So... the sockets asks "which group is connecting", and gets told "munin".
I assume that's because the function uses the sockopt " SO_PEERCRED Return the credentials of the foreign process connected to this socket. This is only possible for connected AF_UNIX stream sockets and AF_UNIX stream and datagram socket pairs created using socketpair(2); see unix(7). The returned credentials are those that were in effect at the time of the call to connect(2) or socketpair(2). Argu‐ ment is a ucred structure. This socket option is read-only. " So how about just running 'sg radiusd radmin'? Would that work? And be an acceptable workaround? Bjørn
participants (5)
-
Alan Buxey -
Alan DeKok -
Arran Cudbard-Bell -
Bjørn Mork -
ironrake@yahoo.com