pam module / freeradius permissions
Alan DeKok
aland at deployingradius.com
Thu Mar 6 10:41:03 CET 2014
msheiny at seas.upenn.edu wrote:
> I'm running FreeRadius 2.2.0 and am looking for advice on resolving a
> permissions issue I am running into with a third-party pam module.
You've configured FreeRADIUS to use rlm_pam ?
> As far as freeradius goes, I have it configured how I would like -
> radius authentication is being checked against PAM as I intended. The problem
> is that this pam module I am running currently requires root permissions but I
> would prefer to keep radiusd running as a restricted user. I've
> confirmed I can get around the issue by specifying radiusd to run as
> root but this is not desired.
Well, you don't really have a choice.
> So my question - what would be the best way to run the freeradius pam
> sub-routine as root but keep the rest of the freeradius system runnning
> as my restricted user?
You can't have part of a process running as root, and another part as
non-root. Process UID is global to the process.
> I'm trying to avoid editing source code if I can
> help it. I realize this is not strictly related to freeradius but
> figured there may be a freeradius setting I'm not familiar here.
If you really care, you can run 2 RADIUS servers. One, which has
*only* rlm_pam and runs as root. The other, running as a radius user,
which proxies (some) packets to the first one.
Alan DeKok.
More information about the Freeradius-Users
mailing list