Own exec module with bash: permission denied

Marten Pape Marten.Pape at pape-hn.de
Sun Mar 20 17:29:30 CET 2011 

Hello,
in my post-auth section I use a self-created exec-module, that is
supposed to execute a shell script. This shell script exists and its
modifiers are 777. But every time, it should be executed, something like
this appears on debug output:

# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
/bin/bash: /root/bin/dhcp/update_dhcp_from_radius.sh: Permission denied
Exec-Program output:
Exec-Program: returned: 126
++[dhcpd_start] returns fail
Using Post-Auth-Type Reject

The system is: Debian 6.0, Freeradius 2.1.10; FreeRadius is used for
Wifi->802.1x via EAP-PEAP

Calling a program instead of bash tells me "Permission denied", too.

What could be the problem?

Thank you
Marten

The exec module is:

# -*- text -*-
# 
#  $Id$

# 
#  This is a more general example of the execute module.
#
#  This one is called "dhcp_man".
#
#  Attribute-Name = `%{dhcp_man:/path/to/program args}`
#
#  If you wish to execute an external program in more than
#  one section (e.g. 'authorize', 'pre_proxy', etc), then it
#  is probably best to define a different instance of the
#  'exec' module for every section.
#
#  The return value of the program run determines the result
#  of the exec instance call as follows:
#  (See doc/configurable_failover for details)
#
#  < 0 : fail      the module failed
#  = 0 : ok        the module succeeded
#  = 1 : reject    the module rejected the user
#  = 2 : fail      the module failed
#  = 3 : ok        the module succeeded
#  = 4 : handled   the module has done everything to handle the request
#  = 5 : invalid   the user's configuration entry was invalid
#  = 6 : userlock  the user was locked out
#  = 7 : notfound  the user was not found
#  = 8 : noop      the module did nothing
#  = 9 : updated   the module updated information in the request
#  > 9 : fail      the module failed
#
exec dhcpd_start {
        # 
        #  Wait for the program to finish.
        #      
        #  If we do NOT wait, then the program is "fire and
        #  forget", and any output attributes from it are ignored.
        #      
        #  If we are looking for the program to output
        #  attributes, and want to add those attributes to the
        #  request, then we MUST wait for the program to
        #  finish, and therefore set 'wait=yes'
        wait = yes

        #
        #  The name of the program to execute, and it's
        #  arguments.  Dynamic translation is done on this
        #  field, so things like the following example will
        #  work.
        #
       program = "/bin/bash /root/bin/dhcp/update_dhcp_from_radius.sh
post-auth Start %{User-Name} %{Calling-Station-Id} %{NAS-IP-Address}"
#        program = "/bin/bash whoami"

        #
        #  The attributes which are placed into the
        #  environment variables for the program.
        #
        #  Allowed values are:
        #
        #       request         attributes from the request
        #       config          attributes from the configuration items list
        #       reply           attributes from the reply
        #       proxy-request   attributes from the proxy request
        #       proxy-reply     attributes from the proxy reply
        #
        #  Note that some attributes may not exist at some
        #  stages.  e.g. There may be no proxy-reply
        #  attributes if this module is used in the
        #  'authorize' section.
        #
        input_pairs = request

        #
        #  Where to place the output attributes (if any) from
        #  the executed program.  The values allowed, and the
        #  restrictions as to availability, are the same as
        #  for the input_pairs.
        #
#       output_pairs = reply

        #
        #  When to execute the program.  If the packet
        #  type does NOT match what's listed here, then
        #  the module does NOT execute the program.
        #
        #  For a list of allowed packet types, see
        #  Note that some attributes may not exist at some
        #  stages.  e.g. There may be no proxy-reply
        #  attributes if this module is used in the
        #  'authorize' section.
        #
        input_pairs = request

        #
        #  Where to place the output attributes (if any) from
        #  the executed program.  The values allowed, and the
        #  restrictions as to availability, are the same as
        #  for the input_pairs.
        #
#       output_pairs = reply

        #
        #  When to execute the program.  If the packet
        #  type does NOT match what's listed here, then
        #  the module does NOT execute the program.
        #
        #  For a list of allowed packet types, see
        #  the 'dictionary' file, and look for VALUEs
        #  of the Packet-Type attribute.
        #
        #  By default, the module executes on ANY packet.
        #  Un-comment out the following line to tell the
        #  module to execute only if an Access-Accept is
        #  being sent to the NAS.
        #
        packet_type = Access-Request

        #
        #  Should we escape the environment variables?
        #
        #  If this is set, all the RADIUS attributes
        #  are capitalised and dashes replaced with
        #  underscores. Also, RADIUS values are surrounded
        #  with double-quotes.
        #
        #  That is to say: User-Name=BobUser => USER_NAME="BobUser"
        shell_escape = yes

}

More information about the Freeradius-Users mailing list