Freeradius 3.0.21 with chroot enables fails to start from the Systemd unit file.

Alan DeKok aland at deployingradius.com
Wed Apr 20 18:54:40 UTC 2022 

On Apr 20, 2022, at 2:30 PM, Antonios Kalkakos <akalkakos at hotmail.com> wrote:
> 
> When freeradius -f is executed from the command line as user 'freerad' the process dies without logging anything to /var/log/freeradius/radiusd.log (originally I had /var/log/freeradius bind mounted to /var/freeradius/chroot/var/log/freeradius but I changed that to separate the log files for my tests).
> 
> So, if I run the chrooted freeradius -f from the command line as...
> 1) ...'freerad', the daemon dies without logging anything.

  Then your local configuration is somehow wrong.  The server tries really hard to log everything.  But there may be rare / unusual code paths where it doesn't.

  Especially when using a version which is a few years old.

  But also, the server can't use the "chroot" system call when it's a normal user.  chroot() is allowed only for the "root" user.

  And when I try to configure chroot as a normal user, the server dies with an error:

Failed to perform chroot /path/to/chroot: EPERM: Operation not permitted

> 2) ...'root', Freeradius works as expected and "ps u -C freeradius" outputs "freerad   7758  6.1  9.2 175332 87020 ?        Ssl  17:08 0:01 /usr/sbin/freeradius -f".

  As expected.

> The systemd unit file contains the lines User=freerad and Group=freerad which, in the best of my knowledge, mean "run freeradius -f as user and group 'freerad'".

  Which then means that chroot won't work.

> If I remove the User and Group lines (they both default to 'root'), systemd complains that the process "Failed with result 'timeout'" and freeradius logs "Warning: Failed notifying systemd that process is READY: Unknown error -2" in /var/freeradius/chroot/var/log/freeradius/radiusd.log. However, the chrooted freeradius process is up and works as expected.

  Likely because systemd doesn't interact well with chroot'd programs.  As I already said.

  so:

a) chroot works when run normally (as root, not as another user)

b) who knows about systemd

  We're not the authors of systemd, and can't really help with that.  Either run the server under chroot normally (without systemd) or run it under systemd (without chroot)
 
  Alan DeKok.

More information about the Freeradius-Users mailing list