Old school: FreeRADIUS and NIS
Adam Bishop
Adam.Bishop at ja.net
Mon Mar 10 21:07:13 CET 2014
On 10 Mar 2014, at 19:28, Alan DeKok <aland at deployingradius.com> wrote:
> So... putting 2 and 2 together, we get 4. Setting "group = shadow"
> means "run FreeRADIUS as group shadow". Since /etc/shadow can be read
> by anyone in group "shadow", this means that FreeRADIUS will now be able
> to read /etc/shadow.
As our friend has unsubscribed, this is mostly for anyone reading the archives.
I suspect the problem here is either SELinux or the shadow group not existing.
RHEL doesn't have a shadow group by default - as it's a nasty hack and potential source of vulnerability, you're expected to have the sense to create it yourself if its needed.
It's also tagged with a unique policy type:
[root at orps1 ~]# ls -alZ /etc/shadow
----------. root root system_u:object_r:shadow_t:s0 /etc/shadow
Which I *think* would cause an AVC denial.
Then there's the small matter of /etc/shadow having no permission mask by default.
But someone who's been doing this for a long time would have checked such things, or even provided us with the output of strace, right? :)
Regards,
Adam Bishop
Systems Development Specialist
gpg: 0x6609D460
t: +44 (0)1235 822 245
xmpp: adamb at jabber.dev.ja.net
Janet, the UK's research and education network.
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
More information about the Freeradius-Users
mailing list