pam module / freeradius permissions
Michael L. Sheinberg
msheiny at seas.upenn.edu
Thu Mar 6 16:07:54 CET 2014
Yes - apologies for the confusion, I was referring to rlm_pam. Thanks Alan. I
realize this isn't really an issue with freeradius and appreciate your advice.
Just to clarify, I was messing with the pam-google-authenticator module
which needed root permissions to change userid/groupid to read
authenticator files out of user's home directories. Turns out you can
specify userid in the pam options (with user=) but not group and it
caused errors.
I ended up editing the source code to ignore the group issue
and pointed to a location where the radiusd user has permissions to read
those authenticator files. Not sure if I missed another way around this
but thats what ended up working for me.
Thanks again!
--
--Mike
On Thu, Mar 06, 2014 at 09:41:03AM +0000, Alan DeKok wrote:
>msheiny at seas.upenn.edu wrote:
>> I'm running FreeRadius 2.2.0 and am looking for advice on resolving a
>> permissions issue I am running into with a third-party pam module.
>
> You've configured FreeRADIUS to use rlm_pam ?
>
>> As far as freeradius goes, I have it configured how I would like -
>> radius authentication is being checked against PAM as I intended. The problem
>> is that this pam module I am running currently requires root permissions but I
>> would prefer to keep radiusd running as a restricted user. I've
>> confirmed I can get around the issue by specifying radiusd to run as
>> root but this is not desired.
>
> Well, you don't really have a choice.
>
>> So my question - what would be the best way to run the freeradius pam
>> sub-routine as root but keep the rest of the freeradius system runnning
>> as my restricted user?
>
> You can't have part of a process running as root, and another part as
>non-root. Process UID is global to the process.
>
>> I'm trying to avoid editing source code if I can
>> help it. I realize this is not strictly related to freeradius but
>> figured there may be a freeradius setting I'm not familiar here.
>
> If you really care, you can run 2 RADIUS servers. One, which has
>*only* rlm_pam and runs as root. The other, running as a radius user,
>which proxies (some) packets to the first one.
>
>
> Alan DeKok.
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list