> Hi All,
> This is very frustating for us. We are running radiusd (through
> radwatch) with user radius and group radius. Since radiusd must
> be able to read the shadow file, we have created a new user
> radius and group radius, and have manually changed the
> permissions of shadow file which looks as follows:
>
> -rw-r----- 1 root radius
How about adding radius to the root group:
/etc/group
root:x:0:radius
> But what is happening, yesterday at 4:23PM, and today at 11:33AM
> the permissions were snatched away, making streams of invalid
> logins and beeping our beepers from a team of unhappy users. The
> file permissions goes back to original state, that is:
>
> -rw------- 1 root root
OK, so my first suggestion wont help in that case. My RedHat knowledge is
limited, I'm a Debian man. Debian's default for /etc/shadow is -rw-r-----,
so my trick above would work.
> We have checked everything (we think), crontab etc, but nothing
> can be found. Please help us.
What would modify the shadow file? Adding/deleteing users and changing
passwords. I can't think of anything else. May I suggest testing these
three. The seamingly randomness at these times suggests it being triggered
by a user changing there password, or something similar.
> We have even tried chaging permission from linuxconf (fools, but
> you should have seen our frustated faces), only to get the same
> result.
>
> We are running freeradius 0.4 (Reply-Message does not seem to
> work in 0.5, but that is another issue) in RedHat 7.1.
>
> Thanks in advance, and please, we do not want to run radiusd as
> root, that is a security issue, is not it?
Of course. freeradius prior to version 4 has a remote exploit, running
software as root is always a risk, connected your computer to the internet
is always a risk :-) However, if you use ipchains/iptables to block incoming
data on your radius ports unless the packet is from you NAS, then that will
greatly improve security.
How about chrooting your radius installation, and have a script copy
/etc/shadow (and other needed files) to /chroot/freeradius/etc/shadow and
set appropriate permissions so that radius can read the chroot'd /etc/shadow
Or perhaps changing these lines in radiusd.conf
passwd = /etc/passwd
shadow = /etc/shadow
group = /etc/group
to point to copies these files, again with needed permissions. As of yet I
haven't tested that, however it is on my todo list (along with 2^10 other
things).
> --
> The steady state of disks is full.
> -- Ken Thompson
>
> Dr. Muhammad Masroor Ali
> Associate Professor and Associate Director
> Institute of Information and Communication Technology
> Bangladesh University of Engineering and Technology
> Dhaka-1000, Bangladesh
> Phone: 880 2 966 5602 (Office), 880 2 966 5700 (Residence)
> Fax: 880 2 966 5602, 880 2 861 3046, 880 2 861 3026
Andrew Tait
System Administrator
Country NetLink Pty, Ltd
E-Mail: [EMAIL PROTECTED]
WWW: http://www.cnl.com.au
30 Bank St Cobram, VIC 3644, Australia
Ph: +61 (03) 58 711 000
Fax: +61 (03) 58 711 874
"It's the smell! If there is such a thing." Agent Smith - The Matrix
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
