Exec module questions, v4

FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) andy.franks1 at nhs.net
Fri Jul 31 15:00:34 CEST 2020


Hi all,
  Does the exec module in v4 still support "non-xlat" use, i.e. where you stipulate a program, run it, maybe collect output pairs values?

If so, I have an example where the execution is a bit different from v3, and wanted to query it.

Using pretty much stock setup, only just added two bits - one to update the cleartext-password for chap testing, and the other to reject the user every time, for another reason.

I have an exec module "testexec"

exec testexec {
  program='/etc/freeradius/test.sh'
  wait = yes
  input_pairs = request
  output_pairs = reply
}

And my test.sh program

#!/bin/bash
echo "Reply-Message := \"hello\""
exit 0

Some observations

-          The stdout output "pickup" didn't seem to be consistent, here I've used radtest to fire a test auth twice in a row without changing anything (let me know if you'd like to see the complete output)

..

(0)    pap - Setting &control:Auth-Type = pap

(0)    pap (updated)

(0)    testexec (yield)

(0)    EXPAND /etc/freeradius/test.sh

(0)      --> /etc/freeradius/test.sh

(0)    Running request

(0)    tmpl - Resuming execution

(0)    testexec - EXEC GOT -- Reply-Message := \"hello\"

(0)    testexec (ok)

..

pap - Setting &control:Auth-Type = pap

(1)    pap (updated)

(1)    testexec (yield)

(1)    EXPAND /etc/freeradius/test.sh

(1)      --> /etc/freeradius/test.sh

(1)    Running request

(1)    tmpl - Resuming execution

(1)    testexec (ok)

..



-          Also, the module return code isn't the same as it used to be, i.e. where 0 was ok, 1 was reject, 2 fail, as per https://networkradius.com/doc/3.0.10/raddb/mods-available/exec.html

If I modify the program to:

#!/bin/bash

echo "Reply-Message := \"hello\""

exit 1



./test.sh ; echo $?

Reply-Message := "hello"

1



I still get (ok), not (reject), and some more output inconsistency, one has status code, one not, even with no modifications (except the exit code in the script) or restarting the service



(3)    pap - Setting &control:Auth-Type = pap

(3)    pap (updated)

(3)    testexec (yield)

(3)    EXPAND /etc/freeradius/test.sh

(3)      --> /etc/freeradius/test.sh

(3)    Running request

(3)    tmpl - Resuming execution

(3)    testexec (ok)



pap - Setting &control:Auth-Type = pap

(4)    pap (updated)

(4)    testexec (yield)

(4)    EXPAND /etc/freeradius/test.sh

(4)      --> /etc/freeradius/test.sh

(4)    Running request

(4)    tmpl - Resuming execution

(4)    Program failed with status code 1

(4)    testexec (ok)



I'm not modifying the module behaviour with { reject=1 } etc.



We used to rely on the text output, even if the exit code was non zero, and that exit code value to do some more stuff after a CoA request.



I should try modifying my unlang to do some xlats instead, but thought I'd ask first - is it just me - do I not understand deliberate changes that have taken place?



I've tried changing shell_escape value, using sh instead of bash, with similar results.



Thanks!

Andy






********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.

For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail



More information about the Freeradius-Users mailing list