Re: radiusd-freeradius history and future

To: debian-devel@lists.debian.org
Subject: Re: radiusd-freeradius history and future
From: Matt Zimmerman <mdz@debian.org>
Date: Tue, 11 Nov 2003 20:40:38 -0500
Message-id: <[🔎] 20031112014038.GJ9377@dijkstra.csh.rit.edu>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20031112010727.GD27802@dat.etsit.upm.es>
References: <20030111000253.29887.qmail@oak.oeko.net> <20030112010004.GA21864@surfsouth.com> <20030112114310.15646.qmail@oak.oeko.net> <20030112152358.GA26317@surfsouth.com> <20030112160741.20368.qmail@oak.oeko.net> <20030112182153.GB26317@surfsouth.com> <[🔎] 20031111091322.GA32728@dat.etsit.upm.es> <[🔎] 20031111175200.GA19604@tennyson.netexpress.net> <[🔎] 20031111190249.GV9377@dijkstra.csh.rit.edu> <[🔎] 20031112010727.GD27802@dat.etsit.upm.es>

On Wed, Nov 12, 2003 at 02:07:27AM +0100, Javier Fernández-Sanguino Peña wrote:

> Also, just another question. Is there any reason why it needs to run as
> root? (as I believe it does in the current Debian package) Would it be
> unreasonable to ask it to run as a 'radiusd' user? 

I can almost guarantee that it shouldn't be running as root.  I hope that
the new maintainer plans to change this.

> However, this is the way that currently the radiusd packages we provide 
> (radiusd-cistron and radiusd-livingston) seem to operate. Is this at all 
> necessary? (after all they use their separate users database)

The only reason I can think of for running a RADIUS server as root would be
to authenticate against UNIX passwords or such, which is a pretty bad idea
anyway.  They should all run as non-root.

> PS: I'm not particularly worried about freeradius, I'm just raising some
> questions.  It seems that our radiusd packages suffer from similar (if not
> worst) security issues and, furthermore, are not (I believe) that actively
> maintained upstream.

Packages which represent an attack vector and are not actively maintained
are a liability, and I think that they should not be included in Debian
releases.  There are several packages in woody that we might have been
better off without, and I hope that we can do better with sarge.

-- 
 - mdz

Reply to:

Follow-Ups:
- Re: radiusd-freeradius history and future
  - From: Russell Coker <russell@coker.com.au>

References:
- Re: radiusd-freeradius history and future
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Re: radiusd-freeradius history and future
  - From: Steve Langasek <vorlon@netexpress.net>
- Re: radiusd-freeradius history and future
  - From: Matt Zimmerman <mdz@debian.org>
- Re: radiusd-freeradius history and future
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

Prev by Date: Re: radiusd-freeradius history and future
Next by Date: POSIX capabilities patch
Previous by thread: Re: radiusd-freeradius history and future
Next by thread: Re: radiusd-freeradius history and future
Index(es):
- Date
- Thread