Not-really-a-bug issue with rlm_unix and maybe other modules

Andrew Browning drew826 at
Mon Oct 17 16:22:48 CEST 2005

I'm not too sure if such a patch would be necessary. The section of
radiusd.conf in which you set the user/group for radiusd to run as
remind people to make sure that /etc/passwd, /etc/group, and
/etc/shadow (if applicable) are readable by that user/group. Adding a
more verbose output in case of wrong permissions may help some people,
but I think the majority of people catch that the first time through
the config files and set permissions or groups accordingly.

On 10/17/05, Martin.Ward at <Martin.Ward at> wrote:
> Hi,
> I had a problem with the Radius server where I was using the rlm_unix
> module to authenticate users against the passwd and shadow files, but even
> when the correct login and password was being used the user was not being
> authenticated. There was nothing reported in the log files at all apart
> from "Authentication refused".
> After much digging around and scrabbling through the source code I
> eventually found out that the permissions on the /etc/shadow file were
> incorrect. The permissions were 0400 with a group ownership of "sys"
> instead of being 0440 with a group ownership of "shadow" (or any other
> group of which the freerad user was a member), Changing the permissions and
> group membership fixed the problem.
> To make other people's lives easier I would like to request an update to
> the rlm_unix module to report a permissions error, or simply to report the
> output of strerror() to the log file, when such file errors occur.
> In the rlm_unix source file files are opened using the code:
> function_name(function defs) {
>                 FILE            *file = fopen(fname, "ro");
>                 struct passwd   *pwd = NULL;
>                 if(file == NULL) return NULL;
> ...
> I would suggest replacing the last line above with:
>                 if(file == NULL) {radlog(L_ERR, strerror(errno)); return
> NULL; }
> or whatever equivalent is required. I don't know about the portability of
> the strerror() function though, nor of all the details required when
> calling the radlog function.
> |\/|artin
> --
> Senior Network Administrator, NEC (Europe) Ltd.
> Acton extension: 3379
> NEC*Net: 800-44-21-3379
> Direct: +44 20 8752 3379
> Fax: +44 20 8752 3389
> Mobile: +44 7721 869 356
> *****************************************************************
> IMPORTANT: The information contained in this e-mail and attachment (if any)
> is intended for the person to whom it is addressed and may contain
> confidential and/or privileged information. The contents of this message
> may contain personal views which are not the views of NEC Europe Ltd or its
> subsidiaries, unless specifically stated. You should not copy, retain,
> forward or disclose its contents to anyone else, or take any action based
> upon it, if it is not addressed to you personally.  If you have received
> this e-mail in error please contact the sender immediately. Any legally
> binding agreement resulting from its content must be made separately in a
> printed medium.
> *****************************************************************
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list