I would concur with the earlier comment that if you will change to MySql rather than the users file, you will have a trouble free solution.
> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > [EMAIL PROTECTED] > Sent: Wednesday, January 15, 2003 12:17 PM > To: Dickon Newman; [EMAIL PROTECTED] > Subject: Re: Restarting radiusd remotly > > > > > On 15 Jan 2003, at 10:47, Dickon Newman wrote: > > From: "Dickon Newman" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: Restarting radiusd remotly > Organization: SkyLAN > Send reply to: [EMAIL PROTECTED] > Date sent: Wed, 15 Jan 2003 10:47:02 -0500 > > > This is a multi-part message in MIME format. > > > > ------=_NextPart_000_004C_01C2BC83.70144730 > > Content-Type: text/plain; > > charset="iso-8859-1" > > Content-Transfer-Encoding: quoted-printable > > > > Again, I've tried to search the archives without much luck. > > > > I have multiple radius boxes (FreeBSD), and currently use rsync > > to = update the users file (and others). However, I need to > > restart radiusd = to notice the changes in the files. I can make > > a script that sends a = kill -9 locally, but what about remotely? > > Root cannot ssh, and normal = users cannot send a kill -9 to a > > root process? > > > > Has anyone else had this problem? > > > > I understand that proxying may be a better approach, however, I > > have to = work within certain constraints :-/ > bhH >>> > Write a script (owned by root) that is called by cron (crontab), > every 5, 10 or whatever minutes, which: > IF the users file has been modified, echos that current user file > has been changed on DATE/TIME > Then > a. sends a kill -HUP to your Radius PID > b. IF users file was modified then: IF there is an error in > the Cron or Radius fails to start, send an email to Sys Admin > with ERROR, else email Radius User File Mods applied and > Server XYZ restarted. > c. logs the CRON action to syslog > > Else, go sleep until next CRON > > This method is IMO, better for security and admin reasons, and > provides positive feedback with audit to the admin that the > users file was modified and the server restarted successfully. > > Lastly, I would not run radius as a root owned process (run as > user/group with nologin privileges), or run any script which > ANY system user / daemon can run to do a root level call to > HUP the radius process. Doing such could place your machine > and topology in a vulnerable position for attack. If is hard to > believe the number of sys admins who make this mistake, > particularly those who run MYSQL and Radius as root level > processes. A rule of good security engineering and practice is > to make sure that Programs which take attributes from non- > trustable sources never directly run as a trusted (root) process. > Attributes are exploitable (shell code, buffer over flow, etc) in > most cases, and subsequently the Program is vulnerable to > attack. > > > > Dickon... > > > > > > ------=_NextPart_000_004C_01C2BC83.70144730 > > Content-Type: text/html; > > charset="iso-8859-1" > > Content-Transfer-Encoding: quoted-printable > > > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> > > <HTML><HEAD> <META http-equiv=3DContent-Type > > content=3D"text/html; = charset=3Diso-8859-1"> <META > > content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR> <STYLE></STYLE> > > </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial > > size=3D2>Again, I've tried to search the = archives without=20 > > much luck.</FONT></DIV> <DIV><FONT face=3DArial > > size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>I > > have multiple radius boxes (FreeBSD), = and=20 currently use > > rsync to update the users file (and others). = However, I > > need=20 to restart radiusd to notice the changes in the > > files. I can make = a script=20 that sends a kill -9 > > locally, but what about remotely? Root cannot = ssh,=20 and > > normal users cannot send a kill -9 to a root > > process?</FONT></DIV> <DIV><FONT face=3DArial > > size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Has > > anyone else had this = problem?</FONT></DIV> <DIV><FONT > > face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial > > size=3D2>I understand that proxying may be a = better=20 > > approach, however, I have to work within certain constraints = > > :-/</FONT></DIV> <DIV><FONT face=3DArial > > size=3D2></FONT> </DIV> <DIV><FONT face=3DArial > > size=3D2>Dickon...</FONT></DIV> <DIV> </DIV></BODY></HTML> > > > > ------=_NextPart_000_004C_01C2BC83.70144730-- > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > ==================================================== > bernie|bhH >>> [EMAIL PROTECTED] > ==================================================== > I don't ware no stinking hat... > Bald, Hatless and Hacking since 1975 > 377 and still trying to Deposit 072 > ******************************************************* > // "There is no expedient to which a man will not go > // to avoid the pure labor of honest thinking." > // Honest thought, the real business capital. > // Observe> Think> Plan> Think> Do> Think> > ******************************************************* > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
