Not-really-a-bug issue with rlm_unix and maybe other modules
Hi, I had a problem with the Radius server where I was using the rlm_unix module to authenticate users against the passwd and shadow files, but even when the correct login and password was being used the user was not being authenticated. There was nothing reported in the log files at all apart from "Authentication refused". After much digging around and scrabbling through the source code I eventually found out that the permissions on the /etc/shadow file were incorrect. The permissions were 0400 with a group ownership of "sys" instead of being 0440 with a group ownership of "shadow" (or any other group of which the freerad user was a member), Changing the permissions and group membership fixed the problem. To make other people's lives easier I would like to request an update to the rlm_unix module to report a permissions error, or simply to report the output of strerror() to the log file, when such file errors occur. In the rlm_unix source file files are opened using the code: function_name(function defs) { FILE *file = fopen(fname, "ro"); struct passwd *pwd = NULL; if(file == NULL) return NULL; ... I would suggest replacing the last line above with: if(file == NULL) {radlog(L_ERR, strerror(errno)); return NULL; } or whatever equivalent is required. I don't know about the portability of the strerror() function though, nor of all the details required when calling the radlog function. |\/|artin -- Senior Network Administrator, NEC (Europe) Ltd. Acton extension: 3379 NEC*Net: 800-44-21-3379 Direct: +44 20 8752 3379 Fax: +44 20 8752 3389 Mobile: +44 7721 869 356 ***************************************************************** IMPORTANT: The information contained in this e-mail and attachment (if any) is intended for the person to whom it is addressed and may contain confidential and/or privileged information. The contents of this message may contain personal views which are not the views of NEC Europe Ltd or its subsidiaries, unless specifically stated. You should not copy, retain, forward or disclose its contents to anyone else, or take any action based upon it, if it is not addressed to you personally. If you have received this e-mail in error please contact the sender immediately. Any legally binding agreement resulting from its content must be made separately in a printed medium. *****************************************************************
I'm not too sure if such a patch would be necessary. The section of radiusd.conf in which you set the user/group for radiusd to run as remind people to make sure that /etc/passwd, /etc/group, and /etc/shadow (if applicable) are readable by that user/group. Adding a more verbose output in case of wrong permissions may help some people, but I think the majority of people catch that the first time through the config files and set permissions or groups accordingly. On 10/17/05, Martin.Ward@uk.neceur.com <Martin.Ward@uk.neceur.com> wrote:
Hi,
I had a problem with the Radius server where I was using the rlm_unix module to authenticate users against the passwd and shadow files, but even when the correct login and password was being used the user was not being authenticated. There was nothing reported in the log files at all apart from "Authentication refused".
After much digging around and scrabbling through the source code I eventually found out that the permissions on the /etc/shadow file were incorrect. The permissions were 0400 with a group ownership of "sys" instead of being 0440 with a group ownership of "shadow" (or any other group of which the freerad user was a member), Changing the permissions and group membership fixed the problem.
To make other people's lives easier I would like to request an update to the rlm_unix module to report a permissions error, or simply to report the output of strerror() to the log file, when such file errors occur.
In the rlm_unix source file files are opened using the code:
function_name(function defs) { FILE *file = fopen(fname, "ro"); struct passwd *pwd = NULL; if(file == NULL) return NULL; ...
I would suggest replacing the last line above with:
if(file == NULL) {radlog(L_ERR, strerror(errno)); return NULL; }
or whatever equivalent is required. I don't know about the portability of the strerror() function though, nor of all the details required when calling the radlog function.
|\/|artin -- Senior Network Administrator, NEC (Europe) Ltd. Acton extension: 3379 NEC*Net: 800-44-21-3379 Direct: +44 20 8752 3379 Fax: +44 20 8752 3389 Mobile: +44 7721 869 356 ***************************************************************** IMPORTANT: The information contained in this e-mail and attachment (if any) is intended for the person to whom it is addressed and may contain confidential and/or privileged information. The contents of this message may contain personal views which are not the views of NEC Europe Ltd or its subsidiaries, unless specifically stated. You should not copy, retain, forward or disclose its contents to anyone else, or take any action based upon it, if it is not addressed to you personally. If you have received this e-mail in error please contact the sender immediately. Any legally binding agreement resulting from its content must be made separately in a printed medium. *****************************************************************
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Andrew Browning -
Martin.Ward@uk.neceur.com