Error: Failed switching up to euid 0: No such file or directory
André Carini
hello at silkerdax.com
Fri Feb 17 21:00:18 CET 2017
On 1/2/17 5:15 PM, Peter Lambrechtsen wrote:
> Have you made sure you specified the user you want to run as in the
> radiusd.conf ??
This is the relevant section from the radiusd.conf file:
> security {
> user = "radius"
> group = "radius"
> chroot = "/var/lib/freeradius3"
> allow_core_dumps = no
> }
This is how the user is defined in..
/etc/shadow
> radius:*:0:0:99999:7:::
/etc/passwd
> radius:*:1042:1042:radius:/var/lib/freeradius3/run/radiusd:/bin/ash
/etc/group
> radius:x:1042:radius
I'm not sure if it is misconfiguration from my part or an actual issue
with the underlying code. Any suggestions for troubleshooting are welcome.
> On 1/02/2017 18:27, "André Carini" <hello at silkerdax.com> wrote:
>
>> Hello everyone,
>>
>> I'm trying to configure FreeRADIUS 3.0.11 on LEDE (SNAPSHOT,
>> r3157-2ef3810) to run chrooted, under a non-root user and a specific
>> directory with the required files mounted.
>>
>> The problem I'm currently facing is "Error: Failed switching up to euid
>> 0: No such file or directory" when running the server as a daemon with
>> the chroot option enabled. The file log isn't very helpful:
>>
>>> root at OpenWRT-R1CL:/tmp/log# cat radius.log
>>> Wed Feb 1 04:54:14 2017 : Info: Debugger not attached
>>> Wed Feb 1 04:54:14 2017 : Warning:
>> [/etc/freeradius3/mods-config/attr_filter/access_reject]:11 Check item
>> "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
>>> Wed Feb 1 04:54:14 2017 : Warning:
>> [/etc/freeradius3/mods-config/attr_filter/access_reject]:11 Check item
>> "FreeRADIUS-Response-Delay-USec" found in filter list for realm
>> "DEFAULT".
>>> Wed Feb 1 04:54:14 2017 : Info: Loaded virtual server <default>
>>> Wed Feb 1 04:54:14 2017 : Info: Loaded virtual server default
>>> Wed Feb 1 04:54:14 2017 : Info: Loaded virtual server inner-tunnel
>>> Wed Feb 1 04:54:14 2017 : Error: Failed switching up to euid 0: No
>> such file or directory
>>
>> However, when I run radiusd -X I face no issues. (Full -X log at the end
>> of the email). Interestingly, when I run the daemon with user = root
>> defined under radiusd.conf I also do not receive any errors (but that
>> would defeat my objective of running FreeRADIUS with limited privileges).
>>
>> I do not know how to interpret the error message "Error: Failed
>> switching up to euid 0: No such file or directory". I have defined the
>> chroot destination, directory mounts and user/group definitions to the
>> best of my ability. Please let me know if further troubleshooting and
>> information is required.
>>
>> - André Carini
>> hello at silkerdax.com
>>
>> ======================================================================
>>
>> root at OpenWRT-R1CL:~# radiusd -X
>> Server was built with:
>> accounting : yes
>> authentication : yes
>> ascend-binary-attributes : yes
>> coa : yes
>> control-socket : yes
>> detail : yes
>> dhcp : yes
>> dynamic-clients : yes
>> osfc2 : no
>> proxy : yes
>> regex-pcre : yes
>> regex-posix : no
>> regex-posix-extended : no
>> session-management : yes
>> stats : yes
>> tcp : yes
>> threads : yes
>> tls : yes
>> unlang : yes
>> vmps : yes
>> developer : no
>> Server core libs:
>> freeradius-server : 3.0.11
>> talloc : 2.0.*
>> ssl : 1.0.2j release
>> pcre : 8.40 2017-01-11
>> Endianness:
>> little
>> Compilation flags:
>> cppflags : -isystem
>> /data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/
>> target-mipsel_24kc_musl-1.1.16/usr/include/
>> -I/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/
>> target-mipsel_24kc_musl-1.1.16/usr/include
>> -I/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/
>> target-mipsel_24kc_musl-1.1.16/include
>> -I/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/
>> toolchain-mipsel_24kc_gcc-5.4.0_musl-1.1.16/usr/include
>> -I/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/
>> toolchain-mipsel_24kc_gcc-5.4.0_musl-1.1.16/include/fortify
>> -I/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/
>> toolchain-mipsel_24kc_gcc-5.4.0_musl-1.1.16/include
>> cflags :
>> -I/data/bowl-builder/mipsel_24kc/build/sdk/build_dir/
>> target-mipsel_24kc_musl-1.1.16/freeradius-server-release_3_0_11
>> -I/data/bowl-builder/mipsel_24kc/build/sdk/build_dir/
>> target-mipsel_24kc_musl-1.1.16/freeradius-server-release_3_0_11/src
>> -include
>> /data/bowl-builder/mipsel_24kc/build/sdk/build_dir/
>> target-mipsel_24kc_musl-1.1.16/freeradius-server-release_
>> 3_0_11/src/freeradius-devel/autoconf.h
>> -include
>> /data/bowl-builder/mipsel_24kc/build/sdk/build_dir/
>> target-mipsel_24kc_musl-1.1.16/freeradius-server-release_
>> 3_0_11/src/freeradius-devel/build.h
>> -include
>> /data/bowl-builder/mipsel_24kc/build/sdk/build_dir/
>> target-mipsel_24kc_musl-1.1.16/freeradius-server-release_
>> 3_0_11/src/freeradius-devel/features.h
>> -include
>> /data/bowl-builder/mipsel_24kc/build/sdk/build_dir/
>> target-mipsel_24kc_musl-1.1.16/freeradius-server-release_
>> 3_0_11/src/freeradius-devel/radpaths.h
>> -fno-strict-aliasing -Os -pipe -mno-branch-likely -mips32r2 -mtune=24kc
>> -fno-caller-saves -fno-plt -fhonour-copts
>> -Wno-error=unused-but-set-variable -Wno-error=unused-result -msoft-float
>> -mips16 -minterlink-mips16 -iremap
>> /data/bowl-builder/mipsel_24kc/build/sdk/build_dir/
>> target-mipsel_24kc_musl-1.1.16/freeradius-server-release_
>> 3_0_11:freeradius-server-release_3_0_11
>> -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1
>> -Wl,-z,now -Wl,-z,relro -Wall -std=c99 -D_GNU_SOURCE -D_REENTRANT
>> -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -DNDEBUG -DIS_MODULE=1
>> ldflags :
>> -L/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/
>> target-mipsel_24kc_musl-1.1.16/usr/lib
>> -Wl,-rpath,/data/bowl-builder/mipsel_24kc/build/sdk/staging_
>> dir/target-mipsel_24kc_musl-1.1.16/usr/lib
>> -L/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/
>> target-mipsel_24kc_musl-1.1.16/usr/lib
>> -L/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/
>> target-mipsel_24kc_musl-1.1.16/lib
>> -L/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/
>> toolchain-mipsel_24kc_gcc-5.4.0_musl-1.1.16/usr/lib
>> -L/data/bowl-builder/mipsel_24kc/build/sdk/staging_dir/
>> toolchain-mipsel_24kc_gcc-5.4.0_musl-1.1.16/lib
>> -znow -zrelro
>> libs : -lcrypto -lssl -ltalloc -lpcre -lcap -lresolv -ldl
>> -lpthread -lcrypto -lssl -lcrypto -lssl -lcrypto -lssl -lreadline -lncurses
>>
>> Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
>> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>> PARTICULAR PURPOSE
>> You may redistribute copies of FreeRADIUS under the terms of the
>> GNU General Public License
>> For more information about these matters, see the file named COPYRIGHT
>> Starting - reading configuration files ...
>> including dictionary file /usr/share/freeradius3/dictionary
>> including dictionary file /etc/freeradius3/dictionary
>> including configuration file /etc/freeradius3/radiusd.conf
>> including configuration file /etc/freeradius3/clients.conf
>> including files in directory /etc/freeradius3/mods-enabled/
>> including configuration file /etc/freeradius3/mods-enabled/eap
>> including configuration file /etc/freeradius3/mods-enabled/radutmp
>> including configuration file /etc/freeradius3/mods-enabled/files
>> including configuration file /etc/freeradius3/mods-enabled/sradutmp
>> including configuration file /etc/freeradius3/mods-enabled/preprocess
>> including configuration file /etc/freeradius3/mods-enabled/attr_filter
>> including configuration file /etc/freeradius3/mods-enabled/always
>> including configuration file /etc/freeradius3/mods-enabled/mschap
>> including files in directory /etc/freeradius3/policy.d/
>> including configuration file /etc/freeradius3/policy.d/eap
>> including configuration file /etc/freeradius3/policy.d/accounting
>> including configuration file /etc/freeradius3/policy.d/filter
>> including files in directory /etc/freeradius3/sites-enabled/
>> including configuration file /etc/freeradius3/sites-enabled/default
>> including configuration file /etc/freeradius3/sites-enabled/inner-tunnel
>> main {
>> security {
>> user = "radius"
>> group = "radius"
>> chroot = "/var/lib/freeradius3"
>> allow_core_dumps = no
>> }
>> name = "radiusd"
>> prefix = "/usr"
>> localstatedir = "/var/lib/freeradius3"
>> logdir = "/var/log"
>> run_dir = "/var/lib/freeradius3/run/radiusd"
>> }
>> main {
>> name = "radiusd"
>> prefix = "/usr"
>> localstatedir = "/var/lib/freeradius3"
>> sbindir = "/usr/sbin"
>> logdir = "/var/log"
>> run_dir = "/var/lib/freeradius3/run/radiusd"
>> libdir = "/usr/lib/freeradius3"
>> radacctdir = "/var/db/radacct"
>> hostname_lookups = no
>> max_request_time = 10
>> cleanup_delay = 5
>> max_requests = 5120
>> pidfile = "/var/lib/freeradius3/run/radiusd/radiusd.pid"
>> checkrad = "/usr/sbin/checkrad"
>> debug_level = 0
>> proxy_requests = off
>> log {
>> stripped_names = no
>> auth = yes
>> auth_badpass = yes
>> auth_goodpass = no
>> colourise = yes
>> msg_denied = "You are already logged in - access denied"
>> }
>> resources {
>> }
>> security {
>> max_attributes = 200
>> reject_delay = 1.500000
>> status_server = yes
>> }
>> }
>> radiusd: #### Loading Realms and Home Servers ####
>> radiusd: #### Loading Clients ####
>> client openwrt {
>> ipaddr = 192.168.42.1
>> require_message_authenticator = yes
>> secret = <<< secret >>>
>> limit {
>> max_connections = 16
>> lifetime = 0
>> idle_timeout = 30
>> }
>> }
>> client localhost {
>> ipaddr = 127.0.0.1
>> require_message_authenticator = yes
>> secret = <<< secret >>>
>> limit {
>> max_connections = 16
>> lifetime = 0
>> idle_timeout = 30
>> }
>> }
>> client localhost_ipv6 {
>> ipv6addr = ::1
>> require_message_authenticator = yes
>> secret = <<< secret >>>
>> limit {
>> max_connections = 16
>> lifetime = 0
>> idle_timeout = 30
>> }
>> }
>> Debugger not attached
>> # Creating Auth-Type = MS-CHAP
>> # Creating Auth-Type = eap
>> radiusd: #### Instantiating modules ####
>> modules {
>> # Loaded module rlm_eap
>> # Loading module "eap" from file /etc/freeradius3/mods-enabled/eap
>> eap {
>> default_eap_type = "peap"
>> timer_expire = 60
>> ignore_unknown_eap_types = no
>> cisco_accounting_username_bug = no
>> max_sessions = 5120
>> }
>> # Loaded module rlm_radutmp
>> # Loading module "radutmp" from file /etc/freeradius3/mods-enabled/
>> radutmp
>> radutmp {
>> filename = "/var/log/radutmp"
>> username = "%{User-Name}"
>> case_sensitive = no
>> check_with_nas = no
>> permissions = 384
>> caller_id = yes
>> }
>> # Loaded module rlm_files
>> # Loading module "files" from file /etc/freeradius3/mods-enabled/files
>> files {
>> filename = "/etc/freeradius3/mods-config/files/authorize"
>> acctusersfile = "/etc/freeradius3/mods-config/files/accounting"
>> preproxy_usersfile = "/etc/freeradius3/mods-config/
>> files/pre-proxy"
>> }
>> # Loading module "sradutmp" from file
>> /etc/freeradius3/mods-enabled/sradutmp
>> radutmp sradutmp {
>> filename = "/var/log/sradutmp"
>> username = "%{User-Name}"
>> case_sensitive = yes
>> check_with_nas = yes
>> permissions = 420
>> caller_id = no
>> }
>> # Loaded module rlm_preprocess
>> # Loading module "preprocess" from file
>> /etc/freeradius3/mods-enabled/preprocess
>> preprocess {
>> huntgroups = "/etc/freeradius3/mods-config/preprocess/huntgroups"
>> hints = "/etc/freeradius3/mods-config/preprocess/hints"
>> with_ascend_hack = no
>> ascend_channels_per_line = 23
>> with_ntdomain_hack = no
>> with_specialix_jetstream_hack = no
>> with_cisco_vsa_hack = no
>> with_alvarion_vsa_hack = no
>> }
>> # Loaded module rlm_attr_filter
>> # Loading module "attr_filter.post-proxy" from file
>> /etc/freeradius3/mods-enabled/attr_filter
>> attr_filter attr_filter.post-proxy {
>> filename = "/etc/freeradius3/mods-config/attr_filter/post-proxy"
>> key = "%{Realm}"
>> relaxed = no
>> }
>> # Loading module "attr_filter.pre-proxy" from file
>> /etc/freeradius3/mods-enabled/attr_filter
>> attr_filter attr_filter.pre-proxy {
>> filename = "/etc/freeradius3/mods-config/attr_filter/pre-proxy"
>> key = "%{Realm}"
>> relaxed = no
>> }
>> # Loading module "attr_filter.access_reject" from file
>> /etc/freeradius3/mods-enabled/attr_filter
>> attr_filter attr_filter.access_reject {
>> filename = "/etc/freeradius3/mods-config/
>> attr_filter/access_reject"
>> key = "%{User-Name}"
>> relaxed = no
>> }
>> # Loading module "attr_filter.access_challenge" from file
>> /etc/freeradius3/mods-enabled/attr_filter
>> attr_filter attr_filter.access_challenge {
>> filename =
>> "/etc/freeradius3/mods-config/attr_filter/access_challenge"
>> key = "%{User-Name}"
>> relaxed = no
>> }
>> # Loading module "attr_filter.accounting_response" from file
>> /etc/freeradius3/mods-enabled/attr_filter
>> attr_filter attr_filter.accounting_response {
>> filename =
>> "/etc/freeradius3/mods-config/attr_filter/accounting_response"
>> key = "%{User-Name}"
>> relaxed = no
>> }
>> # Loaded module rlm_always
>> # Loading module "reject" from file /etc/freeradius3/mods-enabled/always
>> always reject {
>> rcode = "reject"
>> simulcount = 0
>> mpp = no
>> }
>> # Loading module "fail" from file /etc/freeradius3/mods-enabled/always
>> always fail {
>> rcode = "fail"
>> simulcount = 0
>> mpp = no
>> }
>> # Loading module "ok" from file /etc/freeradius3/mods-enabled/always
>> always ok {
>> rcode = "ok"
>> simulcount = 0
>> mpp = no
>> }
>> # Loading module "handled" from file /etc/freeradius3/mods-enabled/
>> always
>> always handled {
>> rcode = "handled"
>> simulcount = 0
>> mpp = no
>> }
>> # Loading module "invalid" from file /etc/freeradius3/mods-enabled/
>> always
>> always invalid {
>> rcode = "invalid"
>> simulcount = 0
>> mpp = no
>> }
>> # Loading module "userlock" from file /etc/freeradius3/mods-enabled/
>> always
>> always userlock {
>> rcode = "userlock"
>> simulcount = 0
>> mpp = no
>> }
>> # Loading module "notfound" from file /etc/freeradius3/mods-enabled/
>> always
>> always notfound {
>> rcode = "notfound"
>> simulcount = 0
>> mpp = no
>> }
>> # Loading module "noop" from file /etc/freeradius3/mods-enabled/always
>> always noop {
>> rcode = "noop"
>> simulcount = 0
>> mpp = no
>> }
>> # Loading module "updated" from file /etc/freeradius3/mods-enabled/
>> always
>> always updated {
>> rcode = "updated"
>> simulcount = 0
>> mpp = no
>> }
>> # Loaded module rlm_mschap
>> # Loading module "mschap" from file /etc/freeradius3/mods-enabled/mschap
>> mschap {
>> use_mppe = yes
>> require_encryption = no
>> require_strong = no
>> with_ntdomain_hack = yes
>> passchange {
>> }
>> allow_retry = yes
>> }
>> instantiate {
>> }
>> # Instantiating module "eap" from file /etc/freeradius3/mods-enabled/eap
>> # Linked to sub-module rlm_eap_tls
>> tls {
>> tls = "tls-common"
>> }
>> tls-config tls-common {
>> verify_depth = 0
>> ca_path = "/etc/freeradius3/certs"
>> pem_file_type = yes
>> private_key_file = "/etc/freeradius3/certs/server.key"
>> certificate_file = "/etc/freeradius3/certs/server.pem"
>> ca_file = "/etc/freeradius3/certs/ca.pem"
>> private_key_password = <<< secret >>>
>> dh_file = "/etc/freeradius3/certs/dh"
>> fragment_size = 1024
>> include_length = yes
>> auto_chain = yes
>> check_crl = no
>> check_all_crl = no
>> cipher_list = "DEFAULT"
>> ecdh_curve = "prime256v1"
>> cache {
>> enable = yes
>> lifetime = 24
>> max_entries = 255
>> }
>> verify {
>> skip_if_ocsp_ok = no
>> }
>> ocsp {
>> enable = no
>> override_cert_url = yes
>> url = "http://127.0.0.1/ocsp/"
>> use_nonce = yes
>> timeout = 0
>> softfail = no
>> }
>> }
>> # Linked to sub-module rlm_eap_peap
>> peap {
>> tls = "tls-common"
>> default_eap_type = "mschapv2"
>> copy_request_to_tunnel = no
>> use_tunneled_reply = no
>> proxy_tunneled_request_as_eap = yes
>> virtual_server = "inner-tunnel"
>> soh = no
>> require_client_cert = no
>> }
>> tls: Using cached TLS configuration from previous invocation
>> # Linked to sub-module rlm_eap_mschapv2
>> mschapv2 {
>> with_ntdomain_hack = no
>> send_error = no
>> }
>> # Instantiating module "files" from file
>> /etc/freeradius3/mods-enabled/files
>> reading pairlist file /etc/freeradius3/mods-config/files/authorize
>> reading pairlist file /etc/freeradius3/mods-config/files/accounting
>> reading pairlist file /etc/freeradius3/mods-config/files/pre-proxy
>> # Instantiating module "preprocess" from file
>> /etc/freeradius3/mods-enabled/preprocess
>> reading pairlist file /etc/freeradius3/mods-config/preprocess/huntgroups
>> reading pairlist file /etc/freeradius3/mods-config/preprocess/hints
>> # Instantiating module "attr_filter.post-proxy" from file
>> /etc/freeradius3/mods-enabled/attr_filter
>> reading pairlist file /etc/freeradius3/mods-config/attr_filter/post-proxy
>> # Instantiating module "attr_filter.pre-proxy" from file
>> /etc/freeradius3/mods-enabled/attr_filter
>> reading pairlist file /etc/freeradius3/mods-config/attr_filter/pre-proxy
>> # Instantiating module "attr_filter.access_reject" from file
>> /etc/freeradius3/mods-enabled/attr_filter
>> reading pairlist file /etc/freeradius3/mods-config/
>> attr_filter/access_reject
>> [/etc/freeradius3/mods-config/attr_filter/access_reject]:11 Check item
>> "FreeRADIUS-Response-Delay" found in filter list for realm
>> "DEFAULT".
>> [/etc/freeradius3/mods-config/attr_filter/access_reject]:11 Check item
>> "FreeRADIUS-Response-Delay-USec" found in filter list for realm
>> "DEFAULT".
>> # Instantiating module "attr_filter.access_challenge" from file
>> /etc/freeradius3/mods-enabled/attr_filter
>> reading pairlist file
>> /etc/freeradius3/mods-config/attr_filter/access_challenge
>> # Instantiating module "attr_filter.accounting_response" from file
>> /etc/freeradius3/mods-enabled/attr_filter
>> reading pairlist file
>> /etc/freeradius3/mods-config/attr_filter/accounting_response
>> # Instantiating module "reject" from file
>> /etc/freeradius3/mods-enabled/always
>> # Instantiating module "fail" from file
>> /etc/freeradius3/mods-enabled/always
>> # Instantiating module "ok" from file /etc/freeradius3/mods-enabled/
>> always
>> # Instantiating module "handled" from file
>> /etc/freeradius3/mods-enabled/always
>> # Instantiating module "invalid" from file
>> /etc/freeradius3/mods-enabled/always
>> # Instantiating module "userlock" from file
>> /etc/freeradius3/mods-enabled/always
>> # Instantiating module "notfound" from file
>> /etc/freeradius3/mods-enabled/always
>> # Instantiating module "noop" from file
>> /etc/freeradius3/mods-enabled/always
>> # Instantiating module "updated" from file
>> /etc/freeradius3/mods-enabled/always
>> # Instantiating module "mschap" from file
>> /etc/freeradius3/mods-enabled/mschap
>> rlm_mschap (mschap): using internal authentication
>> } # modules
>> radiusd: #### Loading Virtual Servers ####
>> server { # from file /etc/freeradius3/radiusd.conf
>> } # server
>> server default { # from file /etc/freeradius3/sites-enabled/default
>> # Loading authenticate {...}
>> # Loading authorize {...}
>> # Loading preacct {...}
>> # Loading accounting {...}
>> # Loading session {...}
>> # Loading post-auth {...}
>> } # server default
>> server inner-tunnel { # from file
>> /etc/freeradius3/sites-enabled/inner-tunnel
>> # Loading authenticate {...}
>> # Loading authorize {...}
>> # Loading session {...}
>> # Loading post-auth {...}
>> } # server inner-tunnel
>> radiusd: #### Opening IP addresses and Ports ####
>> listen {
>> type = "auth"
>> ipaddr = *
>> port = 1812
>> limit {
>> max_connections = 16
>> lifetime = 0
>> idle_timeout = 30
>> }
>> }
>> listen {
>> type = "acct"
>> ipaddr = *
>> port = 1813
>> limit {
>> max_pps = 3000
>> max_connections = 16
>> lifetime = 0
>> idle_timeout = 30
>> }
>> }
>> listen {
>> type = "auth"
>> ipv6addr = ::
>> port = 1812
>> limit {
>> max_connections = 16
>> lifetime = 0
>> idle_timeout = 30
>> }
>> }
>> listen {
>> type = "acct"
>> ipv6addr = ::
>> port = 1813
>> limit {
>> max_connections = 16
>> lifetime = 0
>> idle_timeout = 30
>> }
>> }
>> Listening on auth address * port 1812 bound to server default
>> Listening on acct address * port 1813 bound to server default
>> Listening on auth address :: port 1812 bound to server default
>> Listening on acct address :: port 1813 bound to server default
>> Ready to process requests
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list