/etc/shadow

Norman Zhang norman.zhang at gmail.com
Thu Nov 20 18:19:32 CET 2008


Alan DeKok wrote:
> Norman Zhang wrote:
>> My current radius installation permits radius daemon read-only access to
>> /etc/shadow. But this introduces security risks.
> 
>   Such as?
> 
>> -rw-r--r--  1 root root 6514 Nov 18 16:52 /etc/shadow
>>
>> I have been told to consider MySQL back-end. Is there a way to pull the
>> existing local users/passwords in MySQL? Or I have recreate every user
>> plus password in MySQL?
> 
>   You can manually write a program that runs as root to pull
> user/password information from /etc/shadow, and copy it to an SQL database.
> 
>   But you will be providing the RADIUS server with... access to the
> username && password.  Which is what happens when you let it read
> /etc/shadow.
> 
>   i.e. If you're worried about letting your RADIUS server read
> /etc/shadow, you shouldn't be giving it *any* information about users or
> passwords.

Good point. I guess the security risk is to do with granting others +r 
access to /etc/shadow. Maybe I can

chgrp /etc/shadow shadow

and changing radius.conf to

user = radius
group = shadow

would do the trick.

Norman




More information about the Freeradius-Users mailing list