3.0.4 release candidate 2

Stefan Winter stefan.winter at restena.lu
Fri Aug 29 08:15:23 CEST 2014 

Hi,

>> looking a the code inside rad_mkdir, it realises that the directory
>> exists, but then tries a chmod() with hard-wired permissions to 0700
>> (rlm_linelog.c harwired this value) (why?) which fails (why, I don't
>> know, I'm root after all).
> 
>   SELinux?

No, turned out that the directory is owned by root, but the attempt at
chmod() was after radiusd dropped its UID/GID to the non-privileged
radiusd/radiusd.

In effect, radiusd at runtime forces the log dir to have same owner that
is also the uid/gid of the daemon (else calling chmod() is not
authorized); and it scrubs any changes to in permissions which an admin
may do on the filesystem himself.

Even if the same-ownership is the default on many installations, and 755
is probably defaulty as well, enforcing that silently in code is a
significant behaviour change (and none I see in the Changelog even).

Not what I expected in a patchlevel update anyway.

>> That chmod() wasn't done in earlier versions; used stat() and returned 0
>> without making a fuss.
> 
>   It's an attempt at security.  If the call to rad_mkdir() says that the
> directory should be 0755, then the directory should be set to that.
> 
>   I've pushed a fix.

Hm. If the admin thinks otherwise, shouldn't his will be respected?

Also, the fix looks misplaced? I think it's the chmod() here:

	if (rcode < 0) {
		if (errno == EEXIST) {
			return chmod(directory, mode);
		}

The directory exists, so this is the code path with the "strange" chmod().

Your change doesn't do the chmod() on actual newly created directories.
I believe that *there* it makes sense to keep the chmod() because you'll
be populating something that didn't exist before with a sane default.

At the other place, you're changing things an admin did without asking him.

Greetings,

Stefan Winter

> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x8A39DC66.asc
Type: application/pgp-keys
Size: 3243 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140829/1d5e25df/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140829/1d5e25df/attachment.pgp>

More information about the Freeradius-Users mailing list