pam module / freeradius permissions

Alan DeKok aland at
Thu Mar 6 10:41:03 CET 2014

msheiny at wrote:
> I'm running FreeRadius 2.2.0 and am looking for advice on resolving a
> permissions issue I am running into with a third-party pam module.  

  You've configured FreeRADIUS to use rlm_pam ?

> As far as freeradius goes, I have it configured how I would like -
> radius authentication is being checked against PAM as I intended. The problem
> is that this pam module I am running currently requires root permissions but I
> would prefer to keep radiusd running as a restricted user. I've
> confirmed I can get around the issue by specifying radiusd to run as
> root but this is not desired.

  Well, you don't really have a choice.

> So my question - what would be the best way to run the freeradius pam
> sub-routine as root but keep the rest of the freeradius system runnning
> as my restricted user?

  You can't have part of a process running as root, and another part as
non-root.  Process UID is global to the process.

> I'm trying to avoid editing source code if I can
> help it. I realize this is not strictly related to freeradius but
> figured there may be a freeradius setting I'm not familiar here.

  If you really care, you can run 2 RADIUS servers.  One, which has
*only* rlm_pam and runs as root.  The other, running as a radius user,
which proxies (some) packets to the first one.

  Alan DeKok.

More information about the Freeradius-Users mailing list