Re: Restarting radiusd remotly

[EMAIL PROTECTED] Wed, 15 Jan 2003 10:22:06 -0800


On 15 Jan 2003, at 10:47, Dickon Newman wrote:


From:                   "Dickon Newman" <[EMAIL PROTECTED]>
To:                     <[EMAIL PROTECTED]>
Subject:                Restarting radiusd remotly
Organization:           SkyLAN
Send reply to:          [EMAIL PROTECTED]
Date sent:              Wed, 15 Jan 2003 10:47:02 -0500

> This is a multi-part message in MIME format.
> 
> ------=_NextPart_000_004C_01C2BC83.70144730
> Content-Type: text/plain;
>  charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
> 
> Again, I've tried to search the archives without much luck.
> 
> I have multiple radius boxes (FreeBSD), and currently use rsync
> to = update the users file (and others).  However, I need to
> restart radiusd = to notice the changes in the files.  I can make
> a script that sends a = kill -9 locally, but what about remotely?
>  Root cannot ssh, and normal = users cannot send a kill -9 to a
> root process?
> 
> Has anyone else had this problem?
> 
> I understand that proxying may be a better approach, however, I
> have to = work within certain constraints :-/
bhH >>>
Write a script (owned by root) that is called by cron (crontab), 
every  5, 10 or whatever minutes, which:
IF the users file has been modified, echos that current user file 
has been changed on DATE/TIME
Then  
        a.  sends a kill -HUP to your Radius PID
        b. IF users file was modified then: IF there is an error in 
the Cron or Radius fails to start, send an email to Sys Admin 
with ERROR, else email Radius User File Mods applied and 
Server XYZ restarted.
        c. logs the CRON action to syslog

Else, go sleep until next CRON

This method is IMO, better for security and admin reasons, and 
provides positive feedback with audit to the admin that the 
users file was modified and the server restarted successfully.

Lastly, I would not run radius as a root owned process (run as 
user/group with nologin privileges), or run any script which 
ANY system user / daemon can run to do a root level call to 
HUP the radius process. Doing such could place your machine 
and topology in a vulnerable position for attack. If is hard to 
believe the number of sys admins who make this mistake, 
particularly those who run MYSQL and Radius as root level 
processes.  A rule of good security engineering and practice is 
to make sure that Programs which take attributes from non-
trustable sources never directly run as a trusted (root) process. 
Attributes are exploitable (shell code, buffer over flow, etc) in 
most cases, and subsequently the Program is vulnerable to 
attack. 

 
> Dickon...
> 
> 
> ------=_NextPart_000_004C_01C2BC83.70144730
> Content-Type: text/html;
>  charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
> 
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML><HEAD> <META http-equiv=3DContent-Type
> content=3D"text/html; = charset=3Diso-8859-1"> <META
> content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR> <STYLE></STYLE>
> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial
> size=3D2>Again, I've tried to search the = archives without=20
> much luck.</FONT></DIV> <DIV><FONT face=3DArial
> size=3D2></FONT>&nbsp;</DIV> <DIV><FONT face=3DArial size=3D2>I
> have multiple radius boxes (FreeBSD), = and=20 currently use
> rsync to update the users file (and others).&nbsp; = However, I
> need=20 to restart radiusd to notice the changes in the
> files.&nbsp; I can make = a script=20 that sends a kill -9
> locally, but what about remotely?&nbsp; Root cannot = ssh,=20 and
> normal users cannot send a kill -9 to a root
> process?</FONT></DIV> <DIV><FONT face=3DArial
> size=3D2></FONT>&nbsp;</DIV> <DIV><FONT face=3DArial size=3D2>Has
> anyone else had this = problem?</FONT></DIV> <DIV><FONT
> face=3DArial size=3D2></FONT>&nbsp;</DIV> <DIV><FONT face=3DArial
> size=3D2>I understand that proxying may be a = better=20
> approach, however, I have to work within certain constraints =
> :-/</FONT></DIV> <DIV><FONT face=3DArial
> size=3D2></FONT>&nbsp;</DIV> <DIV><FONT face=3DArial
> size=3D2>Dickon...</FONT></DIV> <DIV>&nbsp;</DIV></BODY></HTML>
> 
> ------=_NextPart_000_004C_01C2BC83.70144730--
> 
> 
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 



====================================================
bernie|bhH >>> [EMAIL PROTECTED]
====================================================
I don't ware no stinking hat...
    Bald, Hatless and Hacking since 1975
         377 and still trying to Deposit 072
*******************************************************
// "There is no expedient to which a man will not go 
//    to avoid the pure labor of honest thinking."   
//     Honest thought, the real business capital.    
//      Observe> Think> Plan> Think> Do> Think>      
*******************************************************




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Restarting radiusd remotly

Reply via email to