Can't start Freeradius with non-root user

Jeanderson Soares ssjeanderson at gmail.com
Wed Jun 29 21:43:06 CEST 2016 

2016-06-29 15:52 GMT-03:00 Alan DeKok <aland at deployingradius.com>:

> On Jun 29, 2016, at 1:33 PM, Jeanderson Soares <ssjeanderson at gmail.com>
> wrote:
> > I'm having a problem when running freeradius with a non-root user/group.
> > The service can't start because of permissions on log and pid files.
> > When started in debug mode, the service starts and works fine, but fails
> in
> > production:
> >
> > # radiusd
> > radiusd: Failed to open log file /usr/local/var/log/radius/radius.log:
> > Permission denied
>
>   The default installation of the server creates the correct permissions.
> SO that should work.
>
Yes, It works with default configuration, but fails if configure
radiusd.conf to use a unprivileged user.

>
> > Changed the folder owner, but still got same error
> > # chown -R radius:radius /usr/local/var/log/radius/
>
>   And what does "radiusd.conf" have for "user" and "group"?   Is it
> "radius", or something else?
>
Yes, I set in radiusd.conf:
security {
...
     user = radius
     group = radius
...
}

>
> > Cheking de log file, happens the same with the pid file:
> > Error: Failed creating PID file /usr/local/var/run/radiusd/radiusd.pid:
> > Permission denied
>
>   Again, the default installation works.
>
> > Again, changed the folder owner, but still got same error
> > # chown -R radius:radius /usr/local/var/run/radiusd/
> >
> > Running with commented user and group options, the service works fine.
> >
> > I'm on Debian 8.0.3 and Freeradius 3.0.11
> >
> > Freeradius was compiled with default options.
> >
> > The user was created with:
> > useradd -r -d /usr/local/etc/raddb/ -s /bin/false radius
>
>   If you're on Debian, either:
>
> a) use the default install.  it works
>
> or
>
> b) create a debian package, and install that.  It also works.
>
>   It looks like you edited radiusd.conf to have a different user than
> normal, but didn't set the permissions correctly.  Don't do that.
>

The "normal" user you talk is the user that runs the radiusd bin. My
intention was to run the deamon as root and the freeradius itself changes
his permissions to user/group "radius" defined in radiusd.conf, like Apache
Webserver does.

I will try the b), sounds like a better option

>
>   Alan DeKok.

many thanks

>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


Jeanderson Soares

More information about the Freeradius-Users mailing list