NAS info + MySQL

Alan DeKok aland at
Tue Jun 7 21:05:00 CEST 2005

Marcin Jessa <lists at> wrote:
> One more thing about this solution is you would need to either run
> radiusd as root or chown radiususer:radiusgroup the radius configs
> in order to be able to HUP radiusd.  Radius daemon is started as
> root and then switched to the unprivileged user defined in
> radiusd.conf Radius will die if it gets signal HUP and the config
> files are not owned by the unprivileged user.

  No.  It will die if it can't read the files.  That's different.

> Having radius configs owned by unprivileged user increases security
> risk, since this will grant an attacker who manages to abuse the
> server access to change the configs...  Either way, sending -HUP
> signal to a running radius daemon seems like a bad idea.

  Only if the file permissions prevent it.

$ chown -R root.radiusd /etc/raddb
$ chmod o+rw /etc/raddb/*
$ chmod g-w /etc/raddb/*
$ chmod g+r /etc/raddb/*

  And have the server run as user "radiusd", group "radiusd".  It has
read permissions to radiusd.conf, so a HUP will work.  It doesn't have
write permissions, so it's secure.

  This is what different groups & file permissions are for.

  Alan DeKok.

More information about the Freeradius-Users mailing list