Error: Failed switching up to euid 0: No such file or directory
Peter Lambrechtsen
peter at crypt.nz
Wed Feb 1 20:15:23 CET 2017
Have you made sure you specified the user you want to run as in the
radiusd.conf ??
On 1/02/2017 18:27, "André Carini" <hello at silkerdax.com> wrote:
> Hello everyone,
>
> I'm trying to configure FreeRADIUS 3.0.11 on LEDE (SNAPSHOT,
> r3157-2ef3810) to run chrooted, under a non-root user and a specific
> directory with the required files mounted.
>
> The problem I'm currently facing is "Error: Failed switching up to euid
> 0: No such file or directory" when running the server as a daemon with
> the chroot option enabled. The file log isn't very helpful:
>
> >root at OpenWRT-R1CL:/tmp/log# cat radius.log
> >Wed Feb 1 04:54:14 2017 : Info: Debugger not attached
> >Wed Feb 1 04:54:14 2017 : Warning:
> [/etc/freeradius3/mods-config/attr_filter/access_reject]:11 Check item
> "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
> >Wed Feb 1 04:54:14 2017 : Warning:
> [/etc/freeradius3/mods-config/attr_filter/access_reject]:11 Check item
> "FreeRADIUS-Response-Delay-USec" found in filter list for realm
> "DEFAULT".
> >Wed Feb 1 04:54:14 2017 : Info: Loaded virtual server <default>
> >Wed Feb 1 04:54:14 2017 : Info: Loaded virtual server default
> >Wed Feb 1 04:54:14 2017 : Info: Loaded virtual server inner-tunnel
> >Wed Feb 1 04:54:14 2017 : Error: Failed switching up to euid 0: No
> such file or directory
>
> However, when I run radiusd -X I face no issues. (Full -X log at the end
> of the email). Interestingly, when I run the daemon with user = root
> defined under radiusd.conf I also do not receive any errors (but that
> would defeat my objective of running FreeRADIUS with limited privileges).
>
> I do not know how to interpret the error message "Error: Failed
> switching up to euid 0: No such file or directory". I have defined the
> chroot destination, directory mounts and user/group definitions to the
> best of my ability. Please let me know if further troubleshooting and
> information is required.
>
> - André Carini
> hello at silkerdax.com
>
> ======================================================================
>
> root at OpenWRT-R1CL:~# radiusd -X
> Server was built with:
> accounting : yes
> authentication : yes
> ascend-binary-attributes : yes
> coa : yes
> control-socket : yes
> detail : yes
> dhcp : yes
> dynamic-clients : yes
> osfc2 : no
> proxy : yes
> regex-pcre : yes
> regex-posix : no
> regex-posix-extended : no
> session-management : yes
> stats : yes
> tcp : yes
> threads : yes
> tls : yes
> unlang : yes
> vmps : yes
> developer : no
> Server core libs:
> freeradius-server : 3.0.11
> talloc : 2.0.*
> ssl : 1.0.2j release
> pcre : 8.40 2017-01-11
> Endianness:
> little
> Compilation flags:
> cppflags : -isystem
> /data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/
> target-mipsel_24kc_musl-1.1.16/usr/include/
> -I/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/
> target-mipsel_24kc_musl-1.1.16/usr/include
> -I/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/
> target-mipsel_24kc_musl-1.1.16/include
> -I/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/
> toolchain-mipsel_24kc_gcc-5.4.0_musl-1.1.16/usr/include
> -I/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/
> toolchain-mipsel_24kc_gcc-5.4.0_musl-1.1.16/include/fortify
> -I/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/
> toolchain-mipsel_24kc_gcc-5.4.0_musl-1.1.16/include
> cflags :
> -I/data/bowl-builder/mipsel_24kc/build/sdk/build_dir/
> target-mipsel_24kc_musl-1.1.16/freeradius-server-release_3_0_11
> -I/data/bowl-builder/mipsel_24kc/build/sdk/build_dir/
> target-mipsel_24kc_musl-1.1.16/freeradius-server-release_3_0_11/src
> -include
> /data/bowl-builder/mipsel_24kc/build/sdk/build_dir/
> target-mipsel_24kc_musl-1.1.16/freeradius-server-release_
> 3_0_11/src/freeradius-devel/autoconf.h
> -include
> /data/bowl-builder/mipsel_24kc/build/sdk/build_dir/
> target-mipsel_24kc_musl-1.1.16/freeradius-server-release_
> 3_0_11/src/freeradius-devel/build.h
> -include
> /data/bowl-builder/mipsel_24kc/build/sdk/build_dir/
> target-mipsel_24kc_musl-1.1.16/freeradius-server-release_
> 3_0_11/src/freeradius-devel/features.h
> -include
> /data/bowl-builder/mipsel_24kc/build/sdk/build_dir/
> target-mipsel_24kc_musl-1.1.16/freeradius-server-release_
> 3_0_11/src/freeradius-devel/radpaths.h
> -fno-strict-aliasing -Os -pipe -mno-branch-likely -mips32r2 -mtune=24kc
> -fno-caller-saves -fno-plt -fhonour-copts
> -Wno-error=unused-but-set-variable -Wno-error=unused-result -msoft-float
> -mips16 -minterlink-mips16 -iremap
> /data/bowl-builder/mipsel_24kc/build/sdk/build_dir/
> target-mipsel_24kc_musl-1.1.16/freeradius-server-release_
> 3_0_11:freeradius-server-release_3_0_11
> -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1
> -Wl,-z,now -Wl,-z,relro -Wall -std=c99 -D_GNU_SOURCE -D_REENTRANT
> -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -DNDEBUG -DIS_MODULE=1
> ldflags :
> -L/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/
> target-mipsel_24kc_musl-1.1.16/usr/lib
> -Wl,-rpath,/data/bowl-builder/mipsel_24kc/build/sdk/staging_
> dir/target-mipsel_24kc_musl-1.1.16/usr/lib
> -L/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/
> target-mipsel_24kc_musl-1.1.16/usr/lib
> -L/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/
> target-mipsel_24kc_musl-1.1.16/lib
> -L/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/
> toolchain-mipsel_24kc_gcc-5.4.0_musl-1.1.16/usr/lib
> -L/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/
> toolchain-mipsel_24kc_gcc-5.4.0_musl-1.1.16/lib
> -znow -zrelro
> libs : -lcrypto -lssl -ltalloc -lpcre -lcap -lresolv -ldl
> -lpthread -lcrypto -lssl -lcrypto -lssl -lcrypto -lssl -lreadline -lncurses
>
> Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License
> For more information about these matters, see the file named COPYRIGHT
> Starting - reading configuration files ...
> including dictionary file /usr/share/freeradius3/dictionary
> including dictionary file /etc/freeradius3/dictionary
> including configuration file /etc/freeradius3/radiusd.conf
> including configuration file /etc/freeradius3/clients.conf
> including files in directory /etc/freeradius3/mods-enabled/
> including configuration file /etc/freeradius3/mods-enabled/eap
> including configuration file /etc/freeradius3/mods-enabled/radutmp
> including configuration file /etc/freeradius3/mods-enabled/files
> including configuration file /etc/freeradius3/mods-enabled/sradutmp
> including configuration file /etc/freeradius3/mods-enabled/preprocess
> including configuration file /etc/freeradius3/mods-enabled/attr_filter
> including configuration file /etc/freeradius3/mods-enabled/always
> including configuration file /etc/freeradius3/mods-enabled/mschap
> including files in directory /etc/freeradius3/policy.d/
> including configuration file /etc/freeradius3/policy.d/eap
> including configuration file /etc/freeradius3/policy.d/accounting
> including configuration file /etc/freeradius3/policy.d/filter
> including files in directory /etc/freeradius3/sites-enabled/
> including configuration file /etc/freeradius3/sites-enabled/default
> including configuration file /etc/freeradius3/sites-enabled/inner-tunnel
> main {
> security {
> user = "radius"
> group = "radius"
> chroot = "/var/lib/freeradius3"
> allow_core_dumps = no
> }
> name = "radiusd"
> prefix = "/usr"
> localstatedir = "/var/lib/freeradius3"
> logdir = "/var/log"
> run_dir = "/var/lib/freeradius3/run/radiusd"
> }
> main {
> name = "radiusd"
> prefix = "/usr"
> localstatedir = "/var/lib/freeradius3"
> sbindir = "/usr/sbin"
> logdir = "/var/log"
> run_dir = "/var/lib/freeradius3/run/radiusd"
> libdir = "/usr/lib/freeradius3"
> radacctdir = "/var/db/radacct"
> hostname_lookups = no
> max_request_time = 10
> cleanup_delay = 5
> max_requests = 5120
> pidfile = "/var/lib/freeradius3/run/radiusd/radiusd.pid"
> checkrad = "/usr/sbin/checkrad"
> debug_level = 0
> proxy_requests = off
> log {
> stripped_names = no
> auth = yes
> auth_badpass = yes
> auth_goodpass = no
> colourise = yes
> msg_denied = "You are already logged in - access denied"
> }
> resources {
> }
> security {
> max_attributes = 200
> reject_delay = 1.500000
> status_server = yes
> }
> }
> radiusd: #### Loading Realms and Home Servers ####
> radiusd: #### Loading Clients ####
> client openwrt {
> ipaddr = 192.168.42.1
> require_message_authenticator = yes
> secret = <<< secret >>>
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> client localhost {
> ipaddr = 127.0.0.1
> require_message_authenticator = yes
> secret = <<< secret >>>
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> client localhost_ipv6 {
> ipv6addr = ::1
> require_message_authenticator = yes
> secret = <<< secret >>>
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> Debugger not attached
> # Creating Auth-Type = MS-CHAP
> # Creating Auth-Type = eap
> radiusd: #### Instantiating modules ####
> modules {
> # Loaded module rlm_eap
> # Loading module "eap" from file /etc/freeradius3/mods-enabled/eap
> eap {
> default_eap_type = "peap"
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> max_sessions = 5120
> }
> # Loaded module rlm_radutmp
> # Loading module "radutmp" from file /etc/freeradius3/mods-enabled/
> radutmp
> radutmp {
> filename = "/var/log/radutmp"
> username = "%{User-Name}"
> case_sensitive = no
> check_with_nas = no
> permissions = 384
> caller_id = yes
> }
> # Loaded module rlm_files
> # Loading module "files" from file /etc/freeradius3/mods-enabled/files
> files {
> filename = "/etc/freeradius3/mods-config/files/authorize"
> acctusersfile = "/etc/freeradius3/mods-config/files/accounting"
> preproxy_usersfile = "/etc/freeradius3/mods-config/
> files/pre-proxy"
> }
> # Loading module "sradutmp" from file
> /etc/freeradius3/mods-enabled/sradutmp
> radutmp sradutmp {
> filename = "/var/log/sradutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> permissions = 420
> caller_id = no
> }
> # Loaded module rlm_preprocess
> # Loading module "preprocess" from file
> /etc/freeradius3/mods-enabled/preprocess
> preprocess {
> huntgroups = "/etc/freeradius3/mods-config/preprocess/huntgroups"
> hints = "/etc/freeradius3/mods-config/preprocess/hints"
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> with_alvarion_vsa_hack = no
> }
> # Loaded module rlm_attr_filter
> # Loading module "attr_filter.post-proxy" from file
> /etc/freeradius3/mods-enabled/attr_filter
> attr_filter attr_filter.post-proxy {
> filename = "/etc/freeradius3/mods-config/attr_filter/post-proxy"
> key = "%{Realm}"
> relaxed = no
> }
> # Loading module "attr_filter.pre-proxy" from file
> /etc/freeradius3/mods-enabled/attr_filter
> attr_filter attr_filter.pre-proxy {
> filename = "/etc/freeradius3/mods-config/attr_filter/pre-proxy"
> key = "%{Realm}"
> relaxed = no
> }
> # Loading module "attr_filter.access_reject" from file
> /etc/freeradius3/mods-enabled/attr_filter
> attr_filter attr_filter.access_reject {
> filename = "/etc/freeradius3/mods-config/
> attr_filter/access_reject"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loading module "attr_filter.access_challenge" from file
> /etc/freeradius3/mods-enabled/attr_filter
> attr_filter attr_filter.access_challenge {
> filename =
> "/etc/freeradius3/mods-config/attr_filter/access_challenge"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loading module "attr_filter.accounting_response" from file
> /etc/freeradius3/mods-enabled/attr_filter
> attr_filter attr_filter.accounting_response {
> filename =
> "/etc/freeradius3/mods-config/attr_filter/accounting_response"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loaded module rlm_always
> # Loading module "reject" from file /etc/freeradius3/mods-enabled/always
> always reject {
> rcode = "reject"
> simulcount = 0
> mpp = no
> }
> # Loading module "fail" from file /etc/freeradius3/mods-enabled/always
> always fail {
> rcode = "fail"
> simulcount = 0
> mpp = no
> }
> # Loading module "ok" from file /etc/freeradius3/mods-enabled/always
> always ok {
> rcode = "ok"
> simulcount = 0
> mpp = no
> }
> # Loading module "handled" from file /etc/freeradius3/mods-enabled/
> always
> always handled {
> rcode = "handled"
> simulcount = 0
> mpp = no
> }
> # Loading module "invalid" from file /etc/freeradius3/mods-enabled/
> always
> always invalid {
> rcode = "invalid"
> simulcount = 0
> mpp = no
> }
> # Loading module "userlock" from file /etc/freeradius3/mods-enabled/
> always
> always userlock {
> rcode = "userlock"
> simulcount = 0
> mpp = no
> }
> # Loading module "notfound" from file /etc/freeradius3/mods-enabled/
> always
> always notfound {
> rcode = "notfound"
> simulcount = 0
> mpp = no
> }
> # Loading module "noop" from file /etc/freeradius3/mods-enabled/always
> always noop {
> rcode = "noop"
> simulcount = 0
> mpp = no
> }
> # Loading module "updated" from file /etc/freeradius3/mods-enabled/
> always
> always updated {
> rcode = "updated"
> simulcount = 0
> mpp = no
> }
> # Loaded module rlm_mschap
> # Loading module "mschap" from file /etc/freeradius3/mods-enabled/mschap
> mschap {
> use_mppe = yes
> require_encryption = no
> require_strong = no
> with_ntdomain_hack = yes
> passchange {
> }
> allow_retry = yes
> }
> instantiate {
> }
> # Instantiating module "eap" from file /etc/freeradius3/mods-enabled/eap
> # Linked to sub-module rlm_eap_tls
> tls {
> tls = "tls-common"
> }
> tls-config tls-common {
> verify_depth = 0
> ca_path = "/etc/freeradius3/certs"
> pem_file_type = yes
> private_key_file = "/etc/freeradius3/certs/server.key"
> certificate_file = "/etc/freeradius3/certs/server.pem"
> ca_file = "/etc/freeradius3/certs/ca.pem"
> private_key_password = <<< secret >>>
> dh_file = "/etc/freeradius3/certs/dh"
> fragment_size = 1024
> include_length = yes
> auto_chain = yes
> check_crl = no
> check_all_crl = no
> cipher_list = "DEFAULT"
> ecdh_curve = "prime256v1"
> cache {
> enable = yes
> lifetime = 24
> max_entries = 255
> }
> verify {
> skip_if_ocsp_ok = no
> }
> ocsp {
> enable = no
> override_cert_url = yes
> url = "http://127.0.0.1/ocsp/"
> use_nonce = yes
> timeout = 0
> softfail = no
> }
> }
> # Linked to sub-module rlm_eap_peap
> peap {
> tls = "tls-common"
> default_eap_type = "mschapv2"
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> proxy_tunneled_request_as_eap = yes
> virtual_server = "inner-tunnel"
> soh = no
> require_client_cert = no
> }
> tls: Using cached TLS configuration from previous invocation
> # Linked to sub-module rlm_eap_mschapv2
> mschapv2 {
> with_ntdomain_hack = no
> send_error = no
> }
> # Instantiating module "files" from file
> /etc/freeradius3/mods-enabled/files
> reading pairlist file /etc/freeradius3/mods-config/files/authorize
> reading pairlist file /etc/freeradius3/mods-config/files/accounting
> reading pairlist file /etc/freeradius3/mods-config/files/pre-proxy
> # Instantiating module "preprocess" from file
> /etc/freeradius3/mods-enabled/preprocess
> reading pairlist file /etc/freeradius3/mods-config/preprocess/huntgroups
> reading pairlist file /etc/freeradius3/mods-config/preprocess/hints
> # Instantiating module "attr_filter.post-proxy" from file
> /etc/freeradius3/mods-enabled/attr_filter
> reading pairlist file /etc/freeradius3/mods-config/attr_filter/post-proxy
> # Instantiating module "attr_filter.pre-proxy" from file
> /etc/freeradius3/mods-enabled/attr_filter
> reading pairlist file /etc/freeradius3/mods-config/attr_filter/pre-proxy
> # Instantiating module "attr_filter.access_reject" from file
> /etc/freeradius3/mods-enabled/attr_filter
> reading pairlist file /etc/freeradius3/mods-config/
> attr_filter/access_reject
> [/etc/freeradius3/mods-config/attr_filter/access_reject]:11 Check item
> "FreeRADIUS-Response-Delay" found in filter list for realm
> "DEFAULT".
> [/etc/freeradius3/mods-config/attr_filter/access_reject]:11 Check item
> "FreeRADIUS-Response-Delay-USec" found in filter list for realm
> "DEFAULT".
> # Instantiating module "attr_filter.access_challenge" from file
> /etc/freeradius3/mods-enabled/attr_filter
> reading pairlist file
> /etc/freeradius3/mods-config/attr_filter/access_challenge
> # Instantiating module "attr_filter.accounting_response" from file
> /etc/freeradius3/mods-enabled/attr_filter
> reading pairlist file
> /etc/freeradius3/mods-config/attr_filter/accounting_response
> # Instantiating module "reject" from file
> /etc/freeradius3/mods-enabled/always
> # Instantiating module "fail" from file
> /etc/freeradius3/mods-enabled/always
> # Instantiating module "ok" from file /etc/freeradius3/mods-enabled/
> always
> # Instantiating module "handled" from file
> /etc/freeradius3/mods-enabled/always
> # Instantiating module "invalid" from file
> /etc/freeradius3/mods-enabled/always
> # Instantiating module "userlock" from file
> /etc/freeradius3/mods-enabled/always
> # Instantiating module "notfound" from file
> /etc/freeradius3/mods-enabled/always
> # Instantiating module "noop" from file
> /etc/freeradius3/mods-enabled/always
> # Instantiating module "updated" from file
> /etc/freeradius3/mods-enabled/always
> # Instantiating module "mschap" from file
> /etc/freeradius3/mods-enabled/mschap
> rlm_mschap (mschap): using internal authentication
> } # modules
> radiusd: #### Loading Virtual Servers ####
> server { # from file /etc/freeradius3/radiusd.conf
> } # server
> server default { # from file /etc/freeradius3/sites-enabled/default
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading preacct {...}
> # Loading accounting {...}
> # Loading session {...}
> # Loading post-auth {...}
> } # server default
> server inner-tunnel { # from file
> /etc/freeradius3/sites-enabled/inner-tunnel
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading session {...}
> # Loading post-auth {...}
> } # server inner-tunnel
> radiusd: #### Opening IP addresses and Ports ####
> listen {
> type = "auth"
> ipaddr = *
> port = 1812
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "acct"
> ipaddr = *
> port = 1813
> limit {
> max_pps = 3000
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "auth"
> ipv6addr = ::
> port = 1812
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "acct"
> ipv6addr = ::
> port = 1813
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> Listening on auth address * port 1812 bound to server default
> Listening on acct address * port 1813 bound to server default
> Listening on auth address :: port 1812 bound to server default
> Listening on acct address :: port 1813 bound to server default
> Ready to process requests
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
More information about the Freeradius-Users
mailing list