Freeradius 3.0.21 with chroot enables fails to start from the Systemd unit file.

Antonios Kalkakos akalkakos at hotmail.com
Thu Apr 21 11:23:37 UTC 2022 

Totally agree with you. Thanks for your clarifications and support Alan!

Antonios

On 20/04/2022 21:54, Alan DeKok wrote:
> On Apr 20, 2022, at 2:30 PM, Antonios Kalkakos <akalkakos at hotmail.com> wrote:
>>
>> When freeradius -f is executed from the command line as user 'freerad' the process dies without logging anything to /var/log/freeradius/radiusd.log (originally I had /var/log/freeradius bind mounted to /var/freeradius/chroot/var/log/freeradius but I changed that to separate the log files for my tests).
>>
>> So, if I run the chrooted freeradius -f from the command line as...
>> 1) ...'freerad', the daemon dies without logging anything.
> 
>    Then your local configuration is somehow wrong.  The server tries really hard to log everything.  But there may be rare / unusual code paths where it doesn't.
> 
>    Especially when using a version which is a few years old.
> 
>    But also, the server can't use the "chroot" system call when it's a normal user.  chroot() is allowed only for the "root" user.
> 
>    And when I try to configure chroot as a normal user, the server dies with an error:
> 
> Failed to perform chroot /path/to/chroot: EPERM: Operation not permitted
> 
>> 2) ...'root', Freeradius works as expected and "ps u -C freeradius" outputs "freerad   7758  6.1  9.2 175332 87020 ?        Ssl  17:08 0:01 /usr/sbin/freeradius -f".
> 
>    As expected.
> 
>> The systemd unit file contains the lines User=freerad and Group=freerad which, in the best of my knowledge, mean "run freeradius -f as user and group 'freerad'".
> 
>    Which then means that chroot won't work.
> 
>> If I remove the User and Group lines (they both default to 'root'), systemd complains that the process "Failed with result 'timeout'" and freeradius logs "Warning: Failed notifying systemd that process is READY: Unknown error -2" in /var/freeradius/chroot/var/log/freeradius/radiusd.log. However, the chrooted freeradius process is up and works as expected.
> 
>    Likely because systemd doesn't interact well with chroot'd programs.  As I already said.
> 
>    so:
> 
> a) chroot works when run normally (as root, not as another user)
> 
> b) who knows about systemd
> 
>    We're not the authors of systemd, and can't really help with that.  Either run the server under chroot normally (without systemd) or run it under systemd (without chroot)
>   
>    Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list