pam module / freeradius permissions

[Arran Cudbard-Bell]

On 6 Mar 2014, at 09:41, Alan DeKok <aland at deployingradius.com> wrote:

> msheiny at seas.upenn.edu wrote:
>> I'm running FreeRadius 2.2.0 and am looking for advice on resolving a
>> permissions issue I am running into with a third-party pam module.  
> 
>  You've configured FreeRADIUS to use rlm_pam ?
> 
>> As far as freeradius goes, I have it configured how I would like -
>> radius authentication is being checked against PAM as I intended. The problem
>> is that this pam module I am running currently requires root permissions but I
>> would prefer to keep radiusd running as a restricted user. I've
>> confirmed I can get around the issue by specifying radiusd to run as
>> root but this is not desired.
> 
>  Well, you don't really have a choice.
> 
>> So my question - what would be the best way to run the freeradius pam
>> sub-routine as root but keep the rest of the freeradius system runnning
>> as my restricted user?
> 
>  You can't have part of a process running as root, and another part as
> non-root.  Process UID is global to the process.
> 
>> I'm trying to avoid editing source code if I can
>> help it. I realize this is not strictly related to freeradius but
>> figured there may be a freeradius setting I'm not familiar here.
> 
>  If you really care, you can run 2 RADIUS servers.  One, which has
> *only* rlm_pam and runs as root.  The other, running as a radius user,
> which proxies (some) packets to the first one.

Ah *that* pam module.

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140306/537726a9/attachment-0001.pgp>