Re: radiusd-freeradius history and future

To: debian-devel@lists.debian.org
Subject: Re: radiusd-freeradius history and future
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Wed, 12 Nov 2003 17:23:09 +0100
Message-id: <[🔎] 20031112162309.GA23902@dat.etsit.upm.es>
In-reply-to: <[🔎] 20031112131902.GA27143@keitarou.bubblesworth.net>
References: <20030112010004.GA21864@surfsouth.com> <20030112114310.15646.qmail@oak.oeko.net> <20030112152358.GA26317@surfsouth.com> <20030112160741.20368.qmail@oak.oeko.net> <20030112182153.GB26317@surfsouth.com> <[🔎] 20031111091322.GA32728@dat.etsit.upm.es> <[🔎] 20031111175200.GA19604@tennyson.netexpress.net> <[🔎] 20031111190249.GV9377@dijkstra.csh.rit.edu> <[🔎] 20031112010727.GD27802@dat.etsit.upm.es> <[🔎] 20031112131902.GA27143@keitarou.bubblesworth.net>

On Thu, Nov 13, 2003 at 12:19:02AM +1100, Paul Hampson wrote:
> On Wed, Nov 12, 2003 at 02:07:27AM +0100, Javier Fernández-Sanguino Peña wrote:
> 
> > Maybe I'm mistaken, but the rpm spec file seems to use a 'radiusd' user
> > whileas the Debian rules package does not. I would be more confident with
> > the package if it was built this way. At least a security problem in
> > its code (if found) would lead to a remote 'radiusd' compromise (but not
> > 'root') an important difference.
> 
> I don't know what debian/rules file you're looking at, since the bug
> report in the DBS relating to this has my patch to fix it, and both the
> current stable and unstable debian/ filesets do not run as root.

You are right.

> 
> It does adduser freerad shadow on first installation, but not after that
> (on the advice of Steve Langasek) to allow the local authentication code
> to work, and to give the admin the freedom to disable this for added
> security if they're not using the local authentication code.

Yes, I missed the 'adduser' calls in postinst. In any case, it would be 
nice if, instead of 'freerad' a generic 'radiusd' user was used so that it 
could be "shared" by different radius packages. Not that one would want to 
install different Radius servers and share the users file, but just for 
consistency and to avoid having multiple 'freerad', 'cistronrad', 
'livingston' users. It might help if you have a cluster of servers and want 
ot have uniform usernames between them (even if running different 
implementations). Just a thought (maybe worthless)

Regards

Javi

Reply to:

Follow-Ups:
- Re: radiusd-freeradius history and future
  - From: Steve Langasek <vorlon@netexpress.net>

References:
- Re: radiusd-freeradius history and future
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Re: radiusd-freeradius history and future
  - From: Steve Langasek <vorlon@netexpress.net>
- Re: radiusd-freeradius history and future
  - From: Matt Zimmerman <mdz@debian.org>
- Re: radiusd-freeradius history and future
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Re: radiusd-freeradius history and future
  - From: Paul.Hampson@anu.edu.au (Paul Hampson)

Prev by Date: Re: Bug#219942: ITP: zope-textindexng2 -- Fulltext index for Zope
Next by Date: Re: gimp1.2: gimp package suggest non-free software
Previous by thread: Re: radiusd-freeradius history and future
Next by thread: Re: radiusd-freeradius history and future
Index(es):
- Date
- Thread