[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Freeradius



On Mon, Sep 02, 2013 at 07:07:15PM +0200, Petter Reinholdtsen wrote:
> [Giorgio Pioda]
> > Some progress and some questions
> > 
> > Checking with strace the activity of freeradius in debug mode,
> > I've seen that the daemon was triing to write into /tmp/user/0
> > which had root:root and 0711 privileges.
> > 
> > Opening to 0777 makes the authentication successful and a radius_125
> > file (freerad:freerad owner) is created.
> > 
> > Is it ok to have such a permission in this directory?
> 
> No.
> 
> The /tmp/user/0 directory is the TMP/TMPDIR directory of the root
> user.  It is created by libpam-tmpdir when a user log in and ensure
> users are more isolated from each other.  If the radius server lack
> write access to this directory, it is because it isn't running as the
> root user when it try to write its files.
> 
> A quickfix is to restart the daemon while TMP and TMPDIR is unset, ie
> something like this:
> 
>   'TMP= TMPDIR= service freeradios restart'
> 
> The proper fix is perhaps to stop freeradios from storing files in
> /tmp, or to get it to call PAM when changing uid (to create its own
> directory under /tmp/user/), or to get it to open the files in /tmp/
> before changing uid. :)

Yep, I was suspecting this. Freeradius runs as "freerad" user. Is this
a freeradius-krb5 bug?

Regards

Giorgio


Reply to: