Freeradius DHCP and "Failed adding ARP entry: Failed to add entry in ARP cache: Operation not permitted (1)"

[Benjamin Thompson]

> > Then I checked that it is set up by getcap /usr/sbin/freeradius and it
> was
> > /usr/sbin/freeradius = cap_net_admin+ei
>
>   That should work.
>
> > But there is still Failed adding ARP entry: Failed to add entry in ARP
> > cache: Operation not permitted (1)
>

Hi

I ran into this issue and did some investigation. What I found was that if
you set the permissions as follows:

setcap cap_net_admin,cap_net_bind_service=eip /usr/local/sbin/radiusd

This works as long as you do not launch FreeRADIUS as root.

So for example I have a normal user called "radius" specified in
radiusd.conf:

security {
    user = radius
    group = radius
    ...
}

This does not work:
root at computer# radiusd -X

This works:
radius at computer$ radiusd -X

So what seems to be happening is that although we assign the capabilities
to the radiusd executable, if we launch as a different user to what is in
radiusd.conf then those capabilities are lost when FreeRADIUS switches user.

I also tried adding "ambient" capabilities as follows:

capsh --caps="cap_setpcap,cap_setuid,cap_setgid,cap_net_admin,cap_net_bind_service+eip"
--keep=1 --user=radius --addamb=cap_net_admin,cap_net_bind_service --
-c "/usr/local/sbin/radiusd -X"

This also works fine.

--
Benjamin Thompson