Re: radiusd-freeradius history and future
On Wed, 12 Nov 2003 12:40, Matt Zimmerman wrote:
> The only reason I can think of for running a RADIUS server as root would be
> to authenticate against UNIX passwords or such, which is a pretty bad idea
> anyway. They should all run as non-root.
Allowing a RADIUS server to authenticate local users against /etc/shadow is
standard and expected functionality IMHO. I consider any RADIUS server which
can't authenticate against the local accounts database to be severely broken.
This does not necessarily have to require root access. The unix_chkpwd helper
program for the pam_unix.so module allows checking a password for an account
with the current UID. Giving all local accounts for the RADIUS server the
same UID as the RADIUS server won't work for several reasons (including the
fact that the unix_chkpwd helper has broken checks which fail when two
accounts have the same UID).
One possible solution to this is to have a special GID for non-root programs
which are allowed to check passwords. I would be happy to code this if
someone else wants to do the testing...
Another issue that has to be addressed is the unix_acct code (checking for
accounts with expired passwords). I've already written a helper for that.
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page