Configure radius to run script under different user

["Jennie Kingsland" <Jennie.Kingsland@sunderland.gov.uk>]

Hi,

 

Thanks for help on previous post. My startup script for Radius now works so it starts at boot time, the script is in /etc/init.d and looks like this

 

#!/bin/sh

/usr/local/sbin/radiusd -d /usr/local/var/log/radius/radacct/ -d /usr/local/etc/raddb/

 

After rebooting radius starts up automatically which is what I want.

 

However for security I don’t want this to run under root, but I want to it run under a user and group called ‘support’

 

I have edited the radius.conf file and added

 

#  for some finer-grained access controls.

#

user = support

group = support

 

#  max_request_time: The maximum time (in seconds) to handle a request.

 

So this is to get radius to run under support.

 

If I run radiusd –X from command line as user support, radius starts up fine.

 

However if I run the startup script as user support from /etc/init.d by entering #./start-my-radius.sh it comes up with error

upport@OXC-RPROXY-02:/etc/init.d$ ./start-my-radius.sh

radiusd: Cannot initialize supplementary group list for user support: Operation not permitted

 

I guess its something to do with permissions but I can’t figure out what I need to change? I just want this to work under user support, if I’m logged in as root and run #./start-my-radius.sh it works fine and starts up radius. However I have to amend radius.conf to get this to work via root login so it looks like this

#user = support

#group = support

 

 

So what have I missed?

 

The radius files look like this

 

support@OXC-RPROXY-02:/usr/local/sbin$ ls -l

total 780

-rwxr-xr-x 1 support support  36403 Oct 12 13:57 checkrad

-rwxr-xr-x 1 support support 619724 Oct 12 13:57 radiusd

-rwxr-xr-x 1 support support 115567 Oct 12 13:57 radmin

-rwxr-xr-x 1 support support   1285 Oct 12 13:57 radwatch

-rwxr-xr-x 1 support support   2471 Oct 12 14:22 rc.radiusd

-rwxr-xr-x 1 support support   2506 Oct 12 14:22 rc.radiusdbkp

support@OXC-RPROXY-02:/usr/local/sbin$

 

This is what it looks like when the script starts via root

 

support@OXC-RPROXY-02:/etc/init.d$ ps aux | grep radiusd

root     30712  0.0  0.2  47080  2744 ?        Ssl  15:55   0:00 /usr/local/sbin/radiusd -d /usr/local/var/log/radius/radacct/ -d /usr/local/etc/raddb/

support  32505  0.0  0.0   2184   736 pts/0    S+   15:57   0:00 grep radiusd

 

OXC-RPROXY-02:/etc/init.d# cd /usr/local/sbin

OXC-RPROXY-02:/usr/local/sbin# ls -l

total 780

-rwxr-xr-x 1 support support  36403 Oct 12 13:57 checkrad

-rwxr-xr-x 1 support support 619724 Oct 12 13:57 radiusd

-rwxr-xr-x 1 support support 115567 Oct 12 13:57 radmin

-rwxr-xr-x 1 support support   1285 Oct 12 13:57 radwatch

-rwxr-xr-x 1 support support   2471 Oct 12 14:22 rc.radiusd

-rwxr-xr-x 1 support support   2506 Oct 12 14:22 rc.radiusdbkp

 

Please help!

------------------------------------------------------------------------------------------
This email and any attached files transmitted are confidential and intended solely 
for the person or entity to whom it is addressed. If you received this email in error 
you may not take action based on its contents, nor should you copy, print or show 
this to anyone; instead please reply to the sender and highlight the error, then 
delete the message from your system. 

Please note that the content of e-mail sent and received may have to be disclosed
by the Council in response to a request for access to information. 
-----------------------------------------------------------------------------------------

Sunderland is aiming to become the most liveable city in the UK.
Visit www.Sunderland.gov.uk  for Council services and information.
Business investors can access www.Investinsunderland.co.uk 
Visitors to the City should log onto www.Visitsunderland.com