Old school: FreeRADIUS and NIS

Adam Bishop Adam.Bishop at ja.net
Mon Mar 10 21:07:13 CET 2014

On 10 Mar 2014, at 19:28, Alan DeKok <aland at deployingradius.com> wrote:
>  So... putting 2 and 2 together, we get 4.  Setting "group = shadow"
> means "run FreeRADIUS as group shadow".  Since /etc/shadow can be read
> by anyone in group "shadow", this means that FreeRADIUS will now be able
> to read /etc/shadow.

As our friend has unsubscribed, this is mostly for anyone reading the archives.

I suspect the problem here is either SELinux or the shadow group not existing.

RHEL doesn't have a shadow group by default - as it's a nasty hack and potential source of vulnerability, you're expected to have the sense to create it yourself if its needed.

It's also tagged with a unique policy type:

  [root at orps1 ~]# ls -alZ /etc/shadow
  ----------. root root system_u:object_r:shadow_t:s0    /etc/shadow

Which I *think* would cause an AVC denial.

Then there's the small matter of /etc/shadow having no permission mask by default.

But someone who's been doing this for a long time would have checked such things, or even provided us with the output of strace, right? :) 


Adam Bishop
Systems Development Specialist

   gpg: 0x6609D460
     t: +44 (0)1235 822 245
  xmpp: adamb at jabber.dev.ja.net

Janet, the UK's research and education network.

Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
not-for-profit company which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238

More information about the Freeradius-Users mailing list