[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Freeradius

[Giorgio Pioda]
> Some progress and some questions
> 
> Checking with strace the activity of freeradius in debug mode,
> I've seen that the daemon was triing to write into /tmp/user/0
> which had root:root and 0711 privileges.
> 
> Opening to 0777 makes the authentication successful and a radius_125
> file (freerad:freerad owner) is created.
> 
> Is it ok to have such a permission in this directory?

No.

The /tmp/user/0 directory is the TMP/TMPDIR directory of the root
user.  It is created by libpam-tmpdir when a user log in and ensure
users are more isolated from each other.  If the radius server lack
write access to this directory, it is because it isn't running as the
root user when it try to write its files.

A quickfix is to restart the daemon while TMP and TMPDIR is unset, ie
something like this:

  'TMP= TMPDIR= service freeradios restart'

The proper fix is perhaps to stop freeradios from storing files in
/tmp, or to get it to call PAM when changing uid (to create its own
directory under /tmp/user/), or to get it to open the files in /tmp/
before changing uid. :)

-- 
Happy hacking
Petter Reinholdtsen
Reply to: