raddebug
Gerald Vogt
vogt at spamcop.net
Thu Aug 10 20:10:41 UTC 2023
On 10.08.23 13:32, Alan DeKok wrote:
> On Aug 9, 2023, at 11:11 AM, Gerald Vogt <vogt at spamcop.net> wrote:
>> For whatever reason "raddebug" doesn't work on our new radius servers. On the old ones I could simply run "raddebug" or "raddebug -t 0" to capture the current debug logs.
>>
>> On the new one it shows nothing. It simply runs without any output.
>>
>> Running freeradius-3.2.3-1.el9.x86_64 on AlmaLinux 9.
>>
>> All the prerequisites mentioned in the raddebug(8) are met:
>> * radmin is in the path.
>> * I start raddebug as root thus permissions shouldn't matter.
>> * control socket is configured in mode rw and is accessible.
>> * It creates a file like "/var/log/radius/radmin.debug.101128" which remains empty as well.
>> * I don't run multiple raddebug processes.
>>
>> So I don't understand why it's not working...
>
> If I had to guess, it would be some kind of SELinux thing, or other "security" permissions thing.
It's not SeLinux. There are no denials and I have double-checked in
permissive mode.
It seems the problem is when I start raddebug as root. It creates the
radmin.debug log file as root:
-rw-rw-r--. 1 root root 0 Aug 10 22:06 /var/log/radius/radmin.debug.30393
and radiusd cannot write into that.
If I run
# sudo -u radiusd raddebug
it'll work.
That wasn't necessary on EL7. I thought radiusd would create the debug
log file. If it's raddebug (or radmin) I guess it should make sure that
it's using the correct user/group. Or is there a new configuration
option to set the user/group for the debug log file?
-Gerald
More information about the Freeradius-Users
mailing list