[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: radiusd-freeradius history and future

On Wed, Nov 12, 2003 at 02:07:27AM +0100, Javier Fernández-Sanguino Peña wrote:

> Also, just another question. Is there any reason why it needs to run as
> root? (as I believe it does in the current Debian package) Would it be
> unreasonable to ask it to run as a 'radiusd' user? 

I can almost guarantee that it shouldn't be running as root.  I hope that
the new maintainer plans to change this.

> However, this is the way that currently the radiusd packages we provide 
> (radiusd-cistron and radiusd-livingston) seem to operate. Is this at all 
> necessary? (after all they use their separate users database)

The only reason I can think of for running a RADIUS server as root would be
to authenticate against UNIX passwords or such, which is a pretty bad idea
anyway.  They should all run as non-root.

> PS: I'm not particularly worried about freeradius, I'm just raising some
> questions.  It seems that our radiusd packages suffer from similar (if not
> worst) security issues and, furthermore, are not (I believe) that actively
> maintained upstream.

Packages which represent an attack vector and are not actively maintained
are a liability, and I think that they should not be included in Debian
releases.  There are several packages in woody that we might have been
better off without, and I hope that we can do better with sarge.

 - mdz

Reply to: