Freeradius DHCP and "Failed adding ARP entry: Failed to add entry in ARP cache: Operation not permitted (1)"
b.thompson at hydra-billing.com
Sun Sep 11 07:41:29 UTC 2022
> > Then I checked that it is set up by getcap /usr/sbin/freeradius and it
> > /usr/sbin/freeradius = cap_net_admin+ei
> That should work.
> > But there is still Failed adding ARP entry: Failed to add entry in ARP
> > cache: Operation not permitted (1)
I ran into this issue and did some investigation. What I found was that if
you set the permissions as follows:
setcap cap_net_admin,cap_net_bind_service=eip /usr/local/sbin/radiusd
This works as long as you do not launch FreeRADIUS as root.
So for example I have a normal user called "radius" specified in
user = radius
group = radius
This does not work:
root at computer# radiusd -X
radius at computer$ radiusd -X
So what seems to be happening is that although we assign the capabilities
to the radiusd executable, if we launch as a different user to what is in
radiusd.conf then those capabilities are lost when FreeRADIUS switches user.
I also tried adding "ambient" capabilities as follows:
--keep=1 --user=radius --addamb=cap_net_admin,cap_net_bind_service --
-c "/usr/local/sbin/radiusd -X"
This also works fine.
More information about the Freeradius-Users