On Mon, 06 Jun 2005 17:11:46 -0400 "Alan DeKok" <[EMAIL PROTECTED]> wrote:
> Marcin Jessa <[EMAIL PROTECTED]> wrote: > > > You can send a HUP signal to th eserver. > > That would require apache to have access to the radius deamon when > > using a web-based interface. > > Uh, no. The way I understand it, say a PHP script used to HUP radiusd would get executed as the httpd user. In that case the httpd deamon would need to be added to the sudoers group like this: www your.server = NOPASSWD: /usr/local/sbin/radiusd How else can this be done? > > Even worse, it'd be pretty much impossible to write an secure GUI > > application to remotely access freeradius and make it reread the > > data stored in SQL since activating the changes made in the nas > > table will require sending HUP signal to the server. > > You're having a web page update RADIUS clients in SQL, and you're > worried about a "secure" GUI? That makes no sense. That actually makes sense. In both cases a user can be granted only certain privilegues by the tool he/she uses not being able to do any harm to the radius server. Anyway, a well coded web or GUI application shouldn't be less secure as a *NIX server granting access to remotely accessible services like sshd or smtpd. > > If the application can update the SQL data, you've already lost most > of the security of your system. It means that someone breaking in > through that application can update SQL, and then use a malicious > RADIUS client to further attack the server. The FreeRadius daemon can be remotely accessed and it updates data stored in SQL database. Does it make it unsecure ? There is allways a chance someone can do something nasty with some tool. > > Maybe a wrapper for that could fix it but IMHO it's not a very > > "elegant" solution. > > A web GUI updating the configuration for a security-critical > application isn't a very "elegant" solution, either. What in your opinion would make an elegant solution to create a user-friendly tool to configure FreeRadius ? > > > Source code modifications. > > Can this be added to the todo list? > > Whose? > I was convinced you were a part of the developers team and every project I know of has certain goals and milestones. Thanks, Marcin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
