What else should radmin do?
a.cudbardb at freeradius.org
Thu Feb 5 12:10:11 CET 2015
> On 5 Feb 2015, at 16:29, Rui Ribeiro <ruyrybeyro at gmail.com> wrote:
> Interesting. You are right, I forgot to add, unlike you, I change the
> radmin group from the default freerad for security reasons, that is
> probably the cause. I do not think it is a good idea to have the control
> socket as freerad, if I am wrong someone please correct me.
> As for debian packaging, i am building my debs from the freeradius source,
> indeed. I may be wrong, may I had for a short time radmin working as
> non-root in 2.1.12.
radmin will work as none root.
It's dependent on OS whether socket file permissions are enforced.
If they are (Linux) you need to change the radiusd user/group to one that's permissive enough to allow whichever user you want to use to connect to the socket as, read/write access to the socket file.
After you get over that hurdle, you need to make sure the euid/egid of radmin match whatever you have set for the socket, so peercred authentication succeeds.
I have a pull request open for review:
To use file system permissions to enforce access. This should be significantly more flexible.
> radius2:~$ apt-cache policy freeradius
> Installed: 3.0.7+git
> Candidate: 3.0.7+git
> Version table:
> *** 3.0.7+git 0
> 500 http://debian.srv.rede/local/ iscte/wheezy amd64 Packages
> 100 /var/lib/dpkg/status
> On 5 February 2015 at 09:22, Bjørn Mork <bjorn at mork.no> wrote:
>> Rui Ribeiro <ruyrybeyro at gmail.com> writes:
>>> Hi Alan,
>>> It would be interesting to make radmin work as non-root. At least in
>>> 7 and 8, it has not work since 2.2.2 at least;
>> Debian 7 has 2.1.12. Debian 8 has 2.2.5. And radmin works fine as
>> non-root in both.
>> I did a test install on Debian sid (same freeradius package as in Debian
>> 8 "jessie"), just to verify right now. This is using default Debian
>> configs, except for enabling the control socket:
>> frtest1:/etc/freeradius/sites-enabled# ln -s
>> frtest1:/etc/freeradius/sites-enabled# /etc/init.d/freeradius restart
>> [ ok ] Stopping FreeRADIUS daemon: freeradius.
>> [ ok ] Starting FreeRADIUS daemon: freeradius.
>> test at frtest1:~$ apt-cache policy freeradius
>> Installed: 2.2.5+dfsg-0.2
>> Candidate: 2.2.5+dfsg-0.2
>> Version table:
>> *** 2.2.5+dfsg-0.2 0
>> 500 http://ftp.no.debian.org/debian/ sid/main amd64 Packages
>> 100 /var/lib/dpkg/status
>> test at frtest1:~$ id
>> uid=1001(test) gid=1001(test) groups=1001(test),112(freerad)
>> test at frtest1:~$ /usr/sbin/radmin
>> radmin version 2.2.5 - FreeRADIUS Server administration tool.
>> Copyright (C) 2008-2012 The FreeRADIUS server project and contributors.
>> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>> PARTICULAR PURPOSE.
>> You may redistribute copies of FreeRADIUS under the terms of the
>> GNU General Public License v2.
>> radmin> show version
>> FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Oct 24
>> 2014 at 02:05:28
>> radmin> show uptime
>> Up since Thu Feb 5 10:14:02 2015
>>> I am using 3.0.7 from git atm.
>> OK, so your problems has nothing to do with any Debian packaging.
> Rui Ribeiro
> Senior Sysadm
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
More information about the Freeradius-Users