AW: Freeradius -X option

Rascher, Markus at
Mon Jul 16 11:29:44 CEST 2007


-----Ursprüngliche Nachricht-----
Von: at [ at] Im Auftrag von Alan DeKok
Gesendet: Montag, 16. Juli 2007 11:27
An: FreeRadius developers mailing list
Betreff: Re: Freeradius -X option

Rascher, Markus wrote:
> The -X option of radiusd can be used to spoof passwords if the attacker
> is able to start the radius-deamon in -X mode.

  Only if you break the default install.

  If the attacker is able to *start* the server in -X mode, then it
means that the site administrator has given "a+r" permission to the
server configuration files.

  The simple answer is: "Don't do that".

  The server will refuse to start if its configuration files are
globally readable.  So it's secure.

> Is there a possibility to
> compile Freeradius without the ability to start in debugging mode?

  Edit the source code.

  Good luck trying to figure out why your policies don't work if you
don't have -X.  As you may have noticed from the README, FAQ, INSTALL,
and daily messages on the -users list, using -X is *highly* recommended.

  Alan DeKok.
List info/subscribe/unsubscribe? See

More information about the Freeradius-Devel mailing list