Freeradius -X option

Alan DeKok aland at deployingradius.com
Mon Jul 16 11:26:30 CEST 2007


Rascher, Markus wrote:
> The -X option of radiusd can be used to spoof passwords if the attacker
> is able to start the radius-deamon in -X mode.

  Only if you break the default install.

  If the attacker is able to *start* the server in -X mode, then it
means that the site administrator has given "a+r" permission to the
server configuration files.

  The simple answer is: "Don't do that".

  The server will refuse to start if its configuration files are
globally readable.  So it's secure.

> Is there a possibility to
> compile Freeradius without the ability to start in debugging mode?

  Edit the source code.

  Good luck trying to figure out why your policies don't work if you
don't have -X.  As you may have noticed from the README, FAQ, INSTALL,
and daily messages on the -users list, using -X is *highly* recommended.

  Alan DeKok.



More information about the Freeradius-Devel mailing list