Can't start Freeradius with non-root user
Hello, everyone I'm having a problem when running freeradius with a non-root user/group. The service can't start because of permissions on log and pid files. When started in debug mode, the service starts and works fine, but fails in production: # radiusd radiusd: Failed to open log file /usr/local/var/log/radius/radius.log: Permission denied Changed the folder owner, but still got same error # chown -R radius:radius /usr/local/var/log/radius/ # radiusd radiusd: Failed to open log file /usr/local/var/log/radius/radius.log: Permission denied If I specify the file, freeradius can create log file but shows nothing on output # radiusd -l /usr/local/var/log/radius/radius.log # Cheking de log file, happens the same with the pid file: Error: Failed creating PID file /usr/local/var/run/radiusd/radiusd.pid: Permission denied Again, changed the folder owner, but still got same error # chown -R radius:radius /usr/local/var/run/radiusd/ Running with commented user and group options, the service works fine. I'm on Debian 8.0.3 and Freeradius 3.0.11 Freeradius was compiled with default options. The user was created with: useradd -r -d /usr/local/etc/raddb/ -s /bin/false radius Thanks for any help.
On Jun 29, 2016, at 1:33 PM, Jeanderson Soares <ssjeanderson@gmail.com> wrote:
I'm having a problem when running freeradius with a non-root user/group. The service can't start because of permissions on log and pid files. When started in debug mode, the service starts and works fine, but fails in production:
# radiusd radiusd: Failed to open log file /usr/local/var/log/radius/radius.log: Permission denied
The default installation of the server creates the correct permissions. SO that should work.
Changed the folder owner, but still got same error # chown -R radius:radius /usr/local/var/log/radius/
And what does "radiusd.conf" have for "user" and "group"? Is it "radius", or something else?
Cheking de log file, happens the same with the pid file: Error: Failed creating PID file /usr/local/var/run/radiusd/radiusd.pid: Permission denied
Again, the default installation works.
Again, changed the folder owner, but still got same error # chown -R radius:radius /usr/local/var/run/radiusd/
Running with commented user and group options, the service works fine.
I'm on Debian 8.0.3 and Freeradius 3.0.11
Freeradius was compiled with default options.
The user was created with: useradd -r -d /usr/local/etc/raddb/ -s /bin/false radius
If you're on Debian, either: a) use the default install. it works or b) create a debian package, and install that. It also works. It looks like you edited radiusd.conf to have a different user than normal, but didn't set the permissions correctly. Don't do that. Alan DeKok.
2016-06-29 15:52 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
On Jun 29, 2016, at 1:33 PM, Jeanderson Soares <ssjeanderson@gmail.com> wrote:
I'm having a problem when running freeradius with a non-root user/group. The service can't start because of permissions on log and pid files. When started in debug mode, the service starts and works fine, but fails in production:
# radiusd radiusd: Failed to open log file /usr/local/var/log/radius/radius.log: Permission denied
The default installation of the server creates the correct permissions. SO that should work.
Yes, It works with default configuration, but fails if configure radiusd.conf to use a unprivileged user.
Changed the folder owner, but still got same error # chown -R radius:radius /usr/local/var/log/radius/
And what does "radiusd.conf" have for "user" and "group"? Is it "radius", or something else?
Yes, I set in radiusd.conf: security { ... user = radius group = radius ... }
Cheking de log file, happens the same with the pid file: Error: Failed creating PID file /usr/local/var/run/radiusd/radiusd.pid: Permission denied
Again, the default installation works.
Again, changed the folder owner, but still got same error # chown -R radius:radius /usr/local/var/run/radiusd/
Running with commented user and group options, the service works fine.
I'm on Debian 8.0.3 and Freeradius 3.0.11
Freeradius was compiled with default options.
The user was created with: useradd -r -d /usr/local/etc/raddb/ -s /bin/false radius
If you're on Debian, either:
a) use the default install. it works
or
b) create a debian package, and install that. It also works.
It looks like you edited radiusd.conf to have a different user than normal, but didn't set the permissions correctly. Don't do that.
The "normal" user you talk is the user that runs the radiusd bin. My intention was to run the deamon as root and the freeradius itself changes his permissions to user/group "radius" defined in radiusd.conf, like Apache Webserver does. I will try the b), sounds like a better option
Alan DeKok.
many thanks
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jeanderson Soares
On Jun 29, 2016, at 3:43 PM, Jeanderson Soares <ssjeanderson@gmail.com> wrote:
Yes, It works with default configuration, but fails if configure radiusd.conf to use a unprivileged user.
It works if you set the permissions on the directory correctly. And if you're on a Debian system, build a debian package. Then when you install the package, all of the permissions will be correct. See the Wiki for how to create a debian package. Alan DeKok.
participants (2)
-
Alan DeKok -
Jeanderson Soares