Error: Failed switching up to euid 0: No such file or directory
André Carini
hello at silkerdax.com
Wed Feb 1 06:22:37 CET 2017
Hello everyone,
I'm trying to configure FreeRADIUS 3.0.11 on LEDE (SNAPSHOT,
r3157-2ef3810) to run chrooted, under a non-root user and a specific
directory with the required files mounted.
The problem I'm currently facing is "Error: Failed switching up to euid
0: No such file or directory" when running the server as a daemon with
the chroot option enabled. The file log isn't very helpful:
>root at OpenWRT-R1CL:/tmp/log# cat radius.log
>Wed Feb 1 04:54:14 2017 : Info: Debugger not attached
>Wed Feb 1 04:54:14 2017 : Warning:
[/etc/freeradius3/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
>Wed Feb 1 04:54:14 2017 : Warning:
[/etc/freeradius3/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay-USec" found in filter list for realm
"DEFAULT".
>Wed Feb 1 04:54:14 2017 : Info: Loaded virtual server <default>
>Wed Feb 1 04:54:14 2017 : Info: Loaded virtual server default
>Wed Feb 1 04:54:14 2017 : Info: Loaded virtual server inner-tunnel
>Wed Feb 1 04:54:14 2017 : Error: Failed switching up to euid 0: No
such file or directory
However, when I run radiusd -X I face no issues. (Full -X log at the end
of the email). Interestingly, when I run the daemon with user = root
defined under radiusd.conf I also do not receive any errors (but that
would defeat my objective of running FreeRADIUS with limited privileges).
I do not know how to interpret the error message "Error: Failed
switching up to euid 0: No such file or directory". I have defined the
chroot destination, directory mounts and user/group definitions to the
best of my ability. Please let me know if further troubleshooting and
information is required.
- André Carini
hello at silkerdax.com
======================================================================
root at OpenWRT-R1CL:~# radiusd -X
Server was built with:
accounting : yes
authentication : yes
ascend-binary-attributes : yes
coa : yes
control-socket : yes
detail : yes
dhcp : yes
dynamic-clients : yes
osfc2 : no
proxy : yes
regex-pcre : yes
regex-posix : no
regex-posix-extended : no
session-management : yes
stats : yes
tcp : yes
threads : yes
tls : yes
unlang : yes
vmps : yes
developer : no
Server core libs:
freeradius-server : 3.0.11
talloc : 2.0.*
ssl : 1.0.2j release
pcre : 8.40 2017-01-11
Endianness:
little
Compilation flags:
cppflags : -isystem
/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/target-mipsel_24kc_musl-1.1.16/usr/include/
-I/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/target-mipsel_24kc_musl-1.1.16/usr/include
-I/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/target-mipsel_24kc_musl-1.1.16/include
-I/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/toolchain-mipsel_24kc_gcc-5.4.0_musl-1.1.16/usr/include
-I/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/toolchain-mipsel_24kc_gcc-5.4.0_musl-1.1.16/include/fortify
-I/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/toolchain-mipsel_24kc_gcc-5.4.0_musl-1.1.16/include
cflags :
-I/data/bowl-builder/mipsel_24kc/build/sdk/build_dir/target-mipsel_24kc_musl-1.1.16/freeradius-server-release_3_0_11
-I/data/bowl-builder/mipsel_24kc/build/sdk/build_dir/target-mipsel_24kc_musl-1.1.16/freeradius-server-release_3_0_11/src
-include
/data/bowl-builder/mipsel_24kc/build/sdk/build_dir/target-mipsel_24kc_musl-1.1.16/freeradius-server-release_3_0_11/src/freeradius-devel/autoconf.h
-include
/data/bowl-builder/mipsel_24kc/build/sdk/build_dir/target-mipsel_24kc_musl-1.1.16/freeradius-server-release_3_0_11/src/freeradius-devel/build.h
-include
/data/bowl-builder/mipsel_24kc/build/sdk/build_dir/target-mipsel_24kc_musl-1.1.16/freeradius-server-release_3_0_11/src/freeradius-devel/features.h
-include
/data/bowl-builder/mipsel_24kc/build/sdk/build_dir/target-mipsel_24kc_musl-1.1.16/freeradius-server-release_3_0_11/src/freeradius-devel/radpaths.h
-fno-strict-aliasing -Os -pipe -mno-branch-likely -mips32r2 -mtune=24kc
-fno-caller-saves -fno-plt -fhonour-copts
-Wno-error=unused-but-set-variable -Wno-error=unused-result -msoft-float
-mips16 -minterlink-mips16 -iremap
/data/bowl-builder/mipsel_24kc/build/sdk/build_dir/target-mipsel_24kc_musl-1.1.16/freeradius-server-release_3_0_11:freeradius-server-release_3_0_11
-Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1
-Wl,-z,now -Wl,-z,relro -Wall -std=c99 -D_GNU_SOURCE -D_REENTRANT
-D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -DNDEBUG -DIS_MODULE=1
ldflags :
-L/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/target-mipsel_24kc_musl-1.1.16/usr/lib
-Wl,-rpath,/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/target-mipsel_24kc_musl-1.1.16/usr/lib
-L/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/target-mipsel_24kc_musl-1.1.16/usr/lib
-L/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/target-mipsel_24kc_musl-1.1.16/lib
-L/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/toolchain-mipsel_24kc_gcc-5.4.0_musl-1.1.16/usr/lib
-L/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/toolchain-mipsel_24kc_gcc-5.4.0_musl-1.1.16/lib
-znow -zrelro
libs : -lcrypto -lssl -ltalloc -lpcre -lcap -lresolv -ldl
-lpthread -lcrypto -lssl -lcrypto -lssl -lcrypto -lssl -lreadline -lncurses
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius3/dictionary
including dictionary file /etc/freeradius3/dictionary
including configuration file /etc/freeradius3/radiusd.conf
including configuration file /etc/freeradius3/clients.conf
including files in directory /etc/freeradius3/mods-enabled/
including configuration file /etc/freeradius3/mods-enabled/eap
including configuration file /etc/freeradius3/mods-enabled/radutmp
including configuration file /etc/freeradius3/mods-enabled/files
including configuration file /etc/freeradius3/mods-enabled/sradutmp
including configuration file /etc/freeradius3/mods-enabled/preprocess
including configuration file /etc/freeradius3/mods-enabled/attr_filter
including configuration file /etc/freeradius3/mods-enabled/always
including configuration file /etc/freeradius3/mods-enabled/mschap
including files in directory /etc/freeradius3/policy.d/
including configuration file /etc/freeradius3/policy.d/eap
including configuration file /etc/freeradius3/policy.d/accounting
including configuration file /etc/freeradius3/policy.d/filter
including files in directory /etc/freeradius3/sites-enabled/
including configuration file /etc/freeradius3/sites-enabled/default
including configuration file /etc/freeradius3/sites-enabled/inner-tunnel
main {
security {
user = "radius"
group = "radius"
chroot = "/var/lib/freeradius3"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var/lib/freeradius3"
logdir = "/var/log"
run_dir = "/var/lib/freeradius3/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var/lib/freeradius3"
sbindir = "/usr/sbin"
logdir = "/var/log"
run_dir = "/var/lib/freeradius3/run/radiusd"
libdir = "/usr/lib/freeradius3"
radacctdir = "/var/db/radacct"
hostname_lookups = no
max_request_time = 10
cleanup_delay = 5
max_requests = 5120
pidfile = "/var/lib/freeradius3/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = off
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.500000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
client openwrt {
ipaddr = 192.168.42.1
require_message_authenticator = yes
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = yes
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = yes
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = eap
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius3/mods-enabled/eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 5120
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/freeradius3/mods-enabled/radutmp
radutmp {
filename = "/var/log/radutmp"
username = "%{User-Name}"
case_sensitive = no
check_with_nas = no
permissions = 384
caller_id = yes
}
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius3/mods-enabled/files
files {
filename = "/etc/freeradius3/mods-config/files/authorize"
acctusersfile = "/etc/freeradius3/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius3/mods-config/files/pre-proxy"
}
# Loading module "sradutmp" from file
/etc/freeradius3/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file
/etc/freeradius3/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius3/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius3/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/freeradius3/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius3/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/freeradius3/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius3/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/freeradius3/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius3/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/freeradius3/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename =
"/etc/freeradius3/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/freeradius3/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/etc/freeradius3/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius3/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius3/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius3/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius3/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius3/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius3/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius3/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius3/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius3/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius3/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
instantiate {
}
# Instantiating module "eap" from file /etc/freeradius3/mods-enabled/eap
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius3/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius3/certs/server.key"
certificate_file = "/etc/freeradius3/certs/server.pem"
ca_file = "/etc/freeradius3/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius3/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "files" from file
/etc/freeradius3/mods-enabled/files
reading pairlist file /etc/freeradius3/mods-config/files/authorize
reading pairlist file /etc/freeradius3/mods-config/files/accounting
reading pairlist file /etc/freeradius3/mods-config/files/pre-proxy
# Instantiating module "preprocess" from file
/etc/freeradius3/mods-enabled/preprocess
reading pairlist file /etc/freeradius3/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius3/mods-config/preprocess/hints
# Instantiating module "attr_filter.post-proxy" from file
/etc/freeradius3/mods-enabled/attr_filter
reading pairlist file /etc/freeradius3/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/freeradius3/mods-enabled/attr_filter
reading pairlist file /etc/freeradius3/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/freeradius3/mods-enabled/attr_filter
reading pairlist file /etc/freeradius3/mods-config/attr_filter/access_reject
[/etc/freeradius3/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay" found in filter list for realm
"DEFAULT".
[/etc/freeradius3/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay-USec" found in filter list for realm
"DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file
/etc/freeradius3/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius3/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius3/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius3/mods-config/attr_filter/accounting_response
# Instantiating module "reject" from file
/etc/freeradius3/mods-enabled/always
# Instantiating module "fail" from file
/etc/freeradius3/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius3/mods-enabled/always
# Instantiating module "handled" from file
/etc/freeradius3/mods-enabled/always
# Instantiating module "invalid" from file
/etc/freeradius3/mods-enabled/always
# Instantiating module "userlock" from file
/etc/freeradius3/mods-enabled/always
# Instantiating module "notfound" from file
/etc/freeradius3/mods-enabled/always
# Instantiating module "noop" from file
/etc/freeradius3/mods-enabled/always
# Instantiating module "updated" from file
/etc/freeradius3/mods-enabled/always
# Instantiating module "mschap" from file
/etc/freeradius3/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius3/radiusd.conf
} # server
server default { # from file /etc/freeradius3/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading session {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file
/etc/freeradius3/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-auth {...}
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 1812
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 1813
limit {
max_pps = 3000
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 1812
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 1813
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Ready to process requests
More information about the Freeradius-Users
mailing list