Running radiusd as an unprivileged user
Hi everyone, Just a quick question about running radiusd as a user other than root. Do I need to compile the server as that user? And do I need to do anything else other than uncomment the lines in radius.conf? Is there a help/doc file about this? Thanks a bunch. ======== Andrey
Hi Andrey. Edit your radiusd.conf and uncomment: #user = nobody #group = nobody You can manually add new users the radius will run as. Propaly the easiest way is to run vipw and copy line from some other service, change the uid, gid and the username, edit /etc/group and put there your group as well. Something like this should do on FreeBSD: radiusd:*:101:101::0:0:Radius Daemon:/var/log/radius:/usr/sbin/nologin Or Linux radiusd:x:101:101:Radius Daemon:/var/log/radius:/bin/false and in /etc/group radiusd:*:101: chown -R radiusd:radiusd your log file and propaly the config files Then it should look something like: #ps auxww | grep rad radiusd 81708 0.0 1.0 9316 4944 ?? Ss 11:26PM 0:00.01 /usr/local/sbin/radiusd Cheers, Marcin On Wed, 1 Jun 2005 16:49:37 -0400 Andrey <andrey@latestwave.com> wrote:
Hi everyone,
Just a quick question about running radiusd as a user other than root. Do I need to compile the server as that user? And do I need to do anything else other than uncomment the lines in radius.conf?
Is there a help/doc file about this?
Thanks a bunch.
======== Andrey
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Edit your radiusd.conf and uncomment: #user = nobody #group = nobody
You can manually add new users the radius will run as. Propaly the easiest way is to run vipw and copy line from some other service, change the uid, gid and the username, edit /etc/group and put there your group as well.
Something like this should do on FreeBSD: radiusd:*:101:101::0:0:Radius Daemon:/var/log/radius:/usr/sbin/nologin
Or Linux radiusd:x:101:101:Radius Daemon:/var/log/radius:/bin/false
and in /etc/group radiusd:*:101:
chown -R radiusd:radiusd your log file and propaly the config files
Then it should look something like:
#ps auxww | grep rad radiusd 81708 0.0 1.0 9316 4944 ?? Ss 11:26PM 0:00.01 /usr/local/sbin/radiusd
and be aware that if you start radiusd as root in such a config, then freeradius can read all the config files as root happily...but if you HUP it (to re-read the config files for example) then it will be running as the user radius (or whatever you choose) and will not be able to read any 'root only' priviledge files. which can mess things up. I was never sure if this was a reported bug, or SHOULD be reported as a bug of some kind - perhaps radiusd could alert about permissions upon the first run? You probably DONT want to just let the radius server to have low-access to the config files, because then if it gets buffer overflowed in any wierd way, you'd be able to read all the nice shared secret files....whereas if they stay as root -rw------ then the overflowed shell would be running as radius user and unable to read such files alan
> Hi Andrey. > > Edit your radiusd.conf and uncomment: > #user = nobody > #group = nobody done that. > You can manually add new users the radius will run as. Propaly the > easiest way is to run vipw and copy line from some other service, > change the uid, gid and the username, edit /etc/group and put there > your group as well. have that. > Something like this should do on FreeBSD: > radiusd:*:101:101::0:0:Radius Daemon:/var/log/radius:/usr/sbin/nologin > > Or Linux > radiusd:x:101:101:Radius Daemon:/var/log/radius:/bin/false > > and in /etc/group > radiusd:*:101: > > chown -R radiusd:radiusd your log file and propaly the config files chowned the log and config files. > Then it should look something like: > > #ps auxww | grep rad > radiusd 81708 0.0 1.0 9316 4944 ?? Ss 11:26PM 0:00.01 > /usr/local/sbin/radiusd > > Cheers, > Marcin > RESULT: It looks like it's working, but it doesn't authenticate anybody. It doesn't necessarily give an Access-Reject, but it also doesn't let anyone stay online. Lets users log in and then kicks them off 15 seconds later. Any ideas? Thanks for the suggestions. > > On Wed, 1 Jun 2005 16:49:37 -0400 > Andrey <andrey@latestwave.com> wrote: > >> Hi everyone, >> >> Just a quick question about running radiusd as a user other than >> root. Do I need >> to compile the server as that user? And do I need to do anything >> else other than >> uncomment the lines in radius.conf? >> >> Is there a help/doc file about this? >> >> Thanks a bunch. >> >> ======== >> Andrey >> >> >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >
On Thu, 2 Jun 2005 09:24:53 -0400 Andrey <andrey@latestwave.com> wrote:
RESULT: It looks like it's working, but it doesn't authenticate anybody. It doesn't necessarily give an Access-Reject, but it also doesn't let anyone stay online. Lets users log in and then kicks them off 15 seconds later. Any ideas?
Do you mean an unauthorized user can login and then gets kicked out after 15 seconds? What you said doesn't make sense: "it doesn't authenticate anybody" and then you say "lets users log in" ... What does it say when you run it in debugging mode ? How did you configure it, how do you do authorization and authentication? Cheers, Marcin Jessa
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Andrey -
Marcin Jessa