bug-gnu-radius
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-gnu-radius] Are there good reasons for running radiusd as user


From: Maurice Makaay
Subject: Re: [Bug-gnu-radius] Are there good reasons for running radiusd as user 'root'?
Date: Wed, 12 Nov 2003 12:00:39 +0100

Hi,

> You only have to run it as root if you plan to use Auth-Type = System
> and/or Auth-Type = PAM. Otherwise it is OK to run radiusd with usual user
> privileges, provided that the logging directory is writable for that
> user or group (the default /var/log obviously isn't).
...
> That is reasonable. I'll surely add the feature.

I created a patch which adds a new keyword "exec-user" to the configuration
file's vocabulary. By setting the exec-user, one can determine under which
uid the server should be run. Things that are in the patch:

* Cleanup of some old references to exec-program-group, which were still
  in the texinfo files.

* A new type of configuration CFG_USER in config.y. This type handles
  users that are specified using either uids or usernames. This will
  fill a new type of struct "user_info" with some basic user information
  (the username, the uid and the gid of a user; a complete passwd struct
  would contain way more info than needed).

* A new droppriv.c file, which handles privilege dropping. The current
  implementation for privilege dropping (for running external programs)
  is only changing the euid. I think this is bad policy because this
  way the external program can simply change its uid back to the root uid.
  Setting the exec-program-user probably has a safety-reason, so let's
  be as safe as we can. If a user really wants to keep the ruid "root",
  he can simply set run-user and exec-program-user to "root" in the
  radius server's config and set the euid in the external program himself.
  The drop_privileges() function takes a pointer to a "user_info" struct
  as its argument.

* The new way of setting the run-user/exec-program-user has has fixed 
  one of the FIXME's in the source of radiusd/exec.c:
    Check user/group
    FIXME: This should be checked *once* after re-reading the
    configuration

* config.syntax contains information on run-user and some related 
  remarks were added to exec-program-user.

* Several checks are added to warn the user for:
  - the use of non-existant uids/usernames (this will cause the server
    to exit).
  - mixing two differing non-root users for run-user and exec-program-user,
    in which case the exec-program-user will not work (because only root
    can switch uid).
  - using Auth-Type System and/or PAM, for which root-access is needed.
  - not being able to find the default user 'daemon' on the system, in
    which case the program will revert to the user 'root' for
    exec-program-user.


There are two files attached: a diff for changes that are made to the
already existing files in CVS and a copy of the new file droppriv.c.


There's a FIXME of my own in radiusd.c:
    /* Now, try to drop our privileges... FIXME: exit on failure?*/
    drop_privileges(&run_user);
I think it would be best to have the server aborting in case the privilege 
dropping fails, but I don't know what your opinion on this is..


Regards,

-- Maurice Makaay

Attachment: CVS-droppriv.c
Description: Text document

Attachment: CVS-patch-dropprivileges
Description: Text document


reply via email to

[Prev in Thread] Current Thread [Next in Thread]