Mimic lower_user in FR2

Thor Spruyt thor.spruyt at telenet.be
Fri Sep 25 21:33:13 CEST 2009 

>----- Oorspronkelijk bericht -----
>Van
: Alexander Clouter [mailto:alex at digriz.org.uk]
>Verzonden
: donderdag
, september
 24, 2009 05:24 PM
>Aan
: freeradius-users at lists.freeradius.org
>Onderwerp
: Re: Mimic lower_user in FR2
>
>Thor Spruyt <thor.spruyt at telenet.be> wrote:
>> 
>> Since lower_user doesn't exist anymore in FR2, I was thinking of doing 
>> the following in FR2 to mimic the behaviour, which seems to be working 
>> correctly:
>> 
>> In "hints" file:
>> 
>> DEFAULT User-Name !~ /^$/
>>        User-Name := `%{exec:/opt/tolower %{User-Name}}`,
>>        Fall-Through = Yes
>> 
>> DEFAULT Stripped-User-Name !~ /^$/
>>        Stripped-User-Name := `%{exec:/opt/tolower %{Stripped-User-Name}}`,
>>        Fall-Through = Yes
>> 
>> 
>> Content of "/opt/tolower":
>> 
>> #!/bin/sh
>> 
>> echo -n "$1" | tr '[A-Z]' '[a-z]'
>> 
>> Is there any reason why I should not do this or why it's not recommended?
>> The servers on which I want to do this is not heavily loaded (<1req/s).
>> 
>Well although the load is not a problem, I mean you should feel *really* 
>dirty that every time a packet goes through your box, you system() out 
>twice.
>
>Hell I feel dirty enough when doing the following for the not-often 
>upstream proxying requests we do:
>----
>update proxy-request {
>  NAS-IP-Address := `/bin/hostname -i`
>  NAS-Identifier := `/bin/hostname -f`
>}
>----
>
>This however is just me being lazy until I patch FreeRADIUS to give me 
>some static runtime variable action :)
>
>You should do this with Perl if you really want or alternatively I'll 
>start sending your RADIUS server something like the following as you do
>no validation at all (you get the idea, might work, probably won't, but
>why risk it?):
>----
>User-Name = '\"; rm -rf /; echo \"'
>----
>
>Cheers
>
>-- 
>Alexander Clouter
>.sigmonster says: The best things in life go on sale sooner or later.
>

I would indeed tighten the script, but I was wondering if changing the 2 attributes in this way could cause problems in later processing.
Or maybe there's a better way which I don't know about to get the same result...

Regards,
Thor.

More information about the Freeradius-Users mailing list