pam module / freeradius permissions

Michael L. Sheinberg msheiny at
Thu Mar 6 16:07:54 CET 2014

Yes - apologies for the confusion, I was referring to rlm_pam. Thanks Alan. I 
realize this isn't really an issue with freeradius and appreciate your advice.

Just to clarify, I was messing with the pam-google-authenticator module
which needed root permissions to change userid/groupid to read
authenticator files out of user's home directories. Turns out you can
specify userid in the pam options (with user=) but not group and it
caused errors. 

I ended up editing the source code to ignore the group issue
and pointed to a location where the radiusd user has permissions to read
those authenticator files. Not sure if I missed another way around this
but thats what ended up working for me. 

Thanks again!


On Thu, Mar 06, 2014 at 09:41:03AM +0000, Alan DeKok wrote:
>msheiny at wrote:
>> I'm running FreeRadius 2.2.0 and am looking for advice on resolving a
>> permissions issue I am running into with a third-party pam module.  
>  You've configured FreeRADIUS to use rlm_pam ?
>> As far as freeradius goes, I have it configured how I would like -
>> radius authentication is being checked against PAM as I intended. The problem
>> is that this pam module I am running currently requires root permissions but I
>> would prefer to keep radiusd running as a restricted user. I've
>> confirmed I can get around the issue by specifying radiusd to run as
>> root but this is not desired.
>  Well, you don't really have a choice.
>> So my question - what would be the best way to run the freeradius pam
>> sub-routine as root but keep the rest of the freeradius system runnning
>> as my restricted user?
>  You can't have part of a process running as root, and another part as
>non-root.  Process UID is global to the process.
>> I'm trying to avoid editing source code if I can
>> help it. I realize this is not strictly related to freeradius but
>> figured there may be a freeradius setting I'm not familiar here.
>  If you really care, you can run 2 RADIUS servers.  One, which has
>*only* rlm_pam and runs as root.  The other, running as a radius user,
>which proxies (some) packets to the first one.
>  Alan DeKok.
>List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list