Running as root to authenticate against system accounts..
Hello, I've recently been looking into getting a FreeRADIUS server to authenticate against the system passwd file. When I was originally testing, it always seemed to reject my access, no matter what I tried. So I did some searching on the lists, and found another person that was having a similar issue. They discovered that the system only allows root to read the shadow password file, so when radius was requesting the password, it would get rejected. So I changed my setup to run the radiusd daemon as root, and tested again. Sure enough, if radiusd is run as root, I can authenticate against the system. So now my question is: What security concerns should I have if I run the radiusd as root? Is there another way to do this that doesn't require radiusd to run as root? Basically, I just want to make sure this is the best way to authenticate against system accounts, or if there's some other method that I've missed :) thx! k
Kevin Hanser <kevin@mica.net> wrote:
So I changed my setup to run the radiusd daemon as root, and tested again. Sure enough, if radiusd is run as root, I can authenticate against the system.
Which is why the default is to run as root. See the "user" directive in radiusd.conf, and the comments above it. The only thing missing in the comments is that you might have to create a shadow group, and make /etc/shadow readable by that group.
So now my question is: What security concerns should I have if I run the radiusd as root? Is there another way to do this that doesn't require radiusd to run as root?
See the comments in radiusd.conf. Alan DeKok.
Alan DeKok wrote:
Kevin Hanser <kevin@mica.net> wrote:
So I changed my setup to run the radiusd daemon as root, and tested again. Sure enough, if radiusd is run as root, I can authenticate against the system.
Which is why the default is to run as root. See the "user" directive in radiusd.conf, and the comments above it. The only thing missing in the comments is that you might have to create a shadow group, and make /etc/shadow readable by that group.
Hmm. Wonder how I missed that :) I was changing the user to root using the user directive, but I guess I overlooked the comments directly above it that pretty much explains my question :) Thanx for pointing me to the proper place :) I was initially stumped that my system didn't have a "shadow" group, but then I re-read your message above and created one. Once I did that and restarted radiusd in the shadow group, system authentication is working great! Thx! k
participants (2)
-
Alan DeKok -
Kevin Hanser