pam module / freeradius permissions
Hello, I'm running FreeRadius 2.2.0 and am looking for advice on resolving a permissions issue I am running into with a third-party pam module. As far as freeradius goes, I have it configured how I would like - radius authentication is being checked against PAM as I intended. The problem is that this pam module I am running currently requires root permissions but I would prefer to keep radiusd running as a restricted user. I've confirmed I can get around the issue by specifying radiusd to run as root but this is not desired. So my question - what would be the best way to run the freeradius pam sub-routine as root but keep the rest of the freeradius system runnning as my restricted user? I'm trying to avoid editing source code if I can help it. I realize this is not strictly related to freeradius but figured there may be a freeradius setting I'm not familiar here. Thanks in advance for any assistance. -- --Mike
On 5 Mar 2014, at 21:09, msheiny@seas.upenn.edu wrote:
Hello,
I'm running FreeRadius 2.2.0 and am looking for advice on resolving a permissions issue I am running into with a third-party pam module.
As far as freeradius goes, I have it configured how I would like - radius authentication is being checked against PAM as I intended. The problem is that this pam module I am running currently requires root permissions but I would prefer to keep radiusd running as a restricted user. I've confirmed I can get around the issue by specifying radiusd to run as root but this is not desired.
So my question - what would be the best way to run the freeradius pam sub-routine as root but keep the rest of the freeradius system runnning as my restricted user? I'm trying to avoid editing source code if I can help it. I realize this is not strictly related to freeradius but figured there may be a freeradius setting I'm not familiar here.
I honestly have no idea what you're talking about... how would the user FreeRADIUS is running as have any affect on the pam module? Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
msheiny@seas.upenn.edu wrote:
I'm running FreeRadius 2.2.0 and am looking for advice on resolving a permissions issue I am running into with a third-party pam module.
You've configured FreeRADIUS to use rlm_pam ?
As far as freeradius goes, I have it configured how I would like - radius authentication is being checked against PAM as I intended. The problem is that this pam module I am running currently requires root permissions but I would prefer to keep radiusd running as a restricted user. I've confirmed I can get around the issue by specifying radiusd to run as root but this is not desired.
Well, you don't really have a choice.
So my question - what would be the best way to run the freeradius pam sub-routine as root but keep the rest of the freeradius system runnning as my restricted user?
You can't have part of a process running as root, and another part as non-root. Process UID is global to the process.
I'm trying to avoid editing source code if I can help it. I realize this is not strictly related to freeradius but figured there may be a freeradius setting I'm not familiar here.
If you really care, you can run 2 RADIUS servers. One, which has *only* rlm_pam and runs as root. The other, running as a radius user, which proxies (some) packets to the first one. Alan DeKok.
On 6 Mar 2014, at 09:41, Alan DeKok <aland@deployingradius.com> wrote:
msheiny@seas.upenn.edu wrote:
I'm running FreeRadius 2.2.0 and am looking for advice on resolving a permissions issue I am running into with a third-party pam module.
You've configured FreeRADIUS to use rlm_pam ?
As far as freeradius goes, I have it configured how I would like - radius authentication is being checked against PAM as I intended. The problem is that this pam module I am running currently requires root permissions but I would prefer to keep radiusd running as a restricted user. I've confirmed I can get around the issue by specifying radiusd to run as root but this is not desired.
Well, you don't really have a choice.
So my question - what would be the best way to run the freeradius pam sub-routine as root but keep the rest of the freeradius system runnning as my restricted user?
You can't have part of a process running as root, and another part as non-root. Process UID is global to the process.
I'm trying to avoid editing source code if I can help it. I realize this is not strictly related to freeradius but figured there may be a freeradius setting I'm not familiar here.
If you really care, you can run 2 RADIUS servers. One, which has *only* rlm_pam and runs as root. The other, running as a radius user, which proxies (some) packets to the first one.
Ah *that* pam module. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Depending on your configuration you might be able to address the problem with group permission rather than user permission, i.e. having both the radius user and whatever pam needs be members of the same group. -- John
Yes - apologies for the confusion, I was referring to rlm_pam. Thanks Alan. I realize this isn't really an issue with freeradius and appreciate your advice. Just to clarify, I was messing with the pam-google-authenticator module which needed root permissions to change userid/groupid to read authenticator files out of user's home directories. Turns out you can specify userid in the pam options (with user=) but not group and it caused errors. I ended up editing the source code to ignore the group issue and pointed to a location where the radiusd user has permissions to read those authenticator files. Not sure if I missed another way around this but thats what ended up working for me. Thanks again! -- --Mike On Thu, Mar 06, 2014 at 09:41:03AM +0000, Alan DeKok wrote:
msheiny@seas.upenn.edu wrote:
I'm running FreeRadius 2.2.0 and am looking for advice on resolving a permissions issue I am running into with a third-party pam module.
You've configured FreeRADIUS to use rlm_pam ?
As far as freeradius goes, I have it configured how I would like - radius authentication is being checked against PAM as I intended. The problem is that this pam module I am running currently requires root permissions but I would prefer to keep radiusd running as a restricted user. I've confirmed I can get around the issue by specifying radiusd to run as root but this is not desired.
Well, you don't really have a choice.
So my question - what would be the best way to run the freeradius pam sub-routine as root but keep the rest of the freeradius system runnning as my restricted user?
You can't have part of a process running as root, and another part as non-root. Process UID is global to the process.
I'm trying to avoid editing source code if I can help it. I realize this is not strictly related to freeradius but figured there may be a freeradius setting I'm not familiar here.
If you really care, you can run 2 RADIUS servers. One, which has *only* rlm_pam and runs as root. The other, running as a radius user, which proxies (some) packets to the first one.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
Alan DeKok -
Arran Cudbard-Bell -
John Dennis -
Michael L. Sheinberg -
msheiny@seas.upenn.edu