Re: radiusd-freeradius history and future
On Thu, Nov 13, 2003 at 12:19:02AM +1100, Paul Hampson wrote:
> On Wed, Nov 12, 2003 at 02:07:27AM +0100, Javier Fernández-Sanguino Peña wrote:
> > Maybe I'm mistaken, but the rpm spec file seems to use a 'radiusd' user
> > whileas the Debian rules package does not. I would be more confident with
> > the package if it was built this way. At least a security problem in
> > its code (if found) would lead to a remote 'radiusd' compromise (but not
> > 'root') an important difference.
> I don't know what debian/rules file you're looking at, since the bug
> report in the DBS relating to this has my patch to fix it, and both the
> current stable and unstable debian/ filesets do not run as root.
You are right.
> It does adduser freerad shadow on first installation, but not after that
> (on the advice of Steve Langasek) to allow the local authentication code
> to work, and to give the admin the freedom to disable this for added
> security if they're not using the local authentication code.
Yes, I missed the 'adduser' calls in postinst. In any case, it would be
nice if, instead of 'freerad' a generic 'radiusd' user was used so that it
could be "shared" by different radius packages. Not that one would want to
install different Radius servers and share the users file, but just for
consistency and to avoid having multiple 'freerad', 'cistronrad',
'livingston' users. It might help if you have a cluster of servers and want
ot have uniform usernames between them (even if running different
implementations). Just a thought (maybe worthless)