[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: radiusd-freeradius history and future

On Wed, 12 Nov 2003 12:40, Matt Zimmerman wrote:
> The only reason I can think of for running a RADIUS server as root would be
> to authenticate against UNIX passwords or such, which is a pretty bad idea
> anyway.  They should all run as non-root.

Allowing a RADIUS server to authenticate local users against /etc/shadow is 
standard and expected functionality IMHO.  I consider any RADIUS server which 
can't authenticate against the local accounts database to be severely broken.

This does not necessarily have to require root access.  The unix_chkpwd helper 
program for the pam_unix.so module allows checking a password for an account 
with the current UID.  Giving all local accounts for the RADIUS server the 
same UID as the RADIUS server won't work for several reasons (including the 
fact that the unix_chkpwd helper has broken checks which fail when two 
accounts have the same UID).

One possible solution to this is to have a special GID for non-root programs 
which are allowed to check passwords.  I would be happy to code this if 
someone else wants to do the testing...

Another issue that has to be addressed is the unix_acct code (checking for 
accounts with expired passwords).  I've already written a helper for that.

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to: