Running radiusd as an unprivileged user

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Thu Jun 2 00:45:48 CEST 2005


Hi,

> Edit your radiusd.conf and uncomment:
> #user = nobody
> #group = nobody
> 
> You can manually add new users the radius will run as. Propaly the easiest way is to run vipw and copy line from some other service, change the uid, gid and the username, edit /etc/group and put there your group as well.
> 
> Something like this should do on FreeBSD:
> radiusd:*:101:101::0:0:Radius Daemon:/var/log/radius:/usr/sbin/nologin
> 
> Or Linux
> radiusd:x:101:101:Radius Daemon:/var/log/radius:/bin/false
> 
> and in /etc/group
> radiusd:*:101:
> 
> chown -R radiusd:radiusd your log file and propaly the config files
> 
> Then it should look something like:
> 
> #ps auxww | grep rad
> radiusd 81708  0.0  1.0  9316  4944  ??  Ss   11:26PM   0:00.01 /usr/local/sbin/radiusd
> 

and be aware that if you start radiusd as root in such a config, then 
freeradius can read all the config files as root happily...but if you
HUP it (to re-read the config files for example) then it will be running
as the user radius (or whatever you choose) and will not be able to
read any 'root only' priviledge files.  which can mess things up. 
I was never sure if this was a reported bug, or SHOULD be reported
as a bug of some kind - perhaps radiusd could alert about permissions
upon the first run?  You probably DONT want to just let the radius server
to have low-access to the config files, because then if it gets
buffer overflowed in any wierd way, you'd be able to read all the nice
shared secret files....whereas if they stay as root -rw------ then the
overflowed shell would be running as radius user and unable to read
such files


alan 



More information about the Freeradius-Users mailing list