(RADIATOR) Problem with AuthBy EXTERNAL when radiusd is running under different uid/gidthan root

[Per Lütkemeyer]

Hi Hugh !

I have expirenced problems when when running radiusd under a seperate user account.

The server is running Redhat 8.0 
The server is configured as Kerberos client and users are authenticated via PAM, it works fine.

The config (radius.cfg) is testet when radiusd is running as root and it works as expected.
When switching to user radiator I'm getting following error in logfile
Wed Apr 2 10:22:38 2003: INFO: Access rejected for dmdpel: Error -1 running EXTERNAL command: No child processes


I've found this in the mailing list archives, is this relevant ?

To: Radiator Mailinglist [EMAIL PROTECTED] 
Subject: (RADIATOR) Bug? changing EUID/EGID with User/Group params doesn't work 
From: Karl Gaissmaier [EMAIL PROTECTED] 
Date: Wed, 04 Sep 2002 15:39:04 +0200 


Below I have included radius.cfg, the script chgrp.sh and logfile

Do you need any further to answer my questions ?

Regards
Per Lütkemeyer
DMdata a/s

..
From the manual :

6.4.31 User
On Unix, this optional parameter sets the effective user ID (UID) that radiusd will run
as, provided radiusd starts as a suitably priveleged user (usually as root). The value can
be a valid Unix user name or an integer UID.
6.4.32 Group
On Unix, this optional parameter sets the effective group ID (GID) that radiusd will run
as, provided radiusd starts as a suitably priveleged user (usually as root). The value can
be a valid Unix group name or an integer GID.
...
Q1: What do you mean by a suitably priveleged user (usually as root) ??


I'v done this
1. created a user called radiator and a group called radiator 
2. changed /etc/radiator and all files within to be owned by user=radiator group=radiator
3. changed /var/log/radius and all files within to be owned by user=radiator group=radiator

The problem occurs when calling an external script located in /etc/radiator




***
radius.cfg
***


### 24/3-03 PEL
### Radius.cfg jumphost der anvender PAM

# Foreground
# LogStdout
#
##
User  radiator
Group  radiator
# User  root
# Group  root
##
AuthPort1645
AcctPort1646
#
LogDir /var/log/radius
LogFile /var/log/radius/logfile.txt
DbDir  /etc/radiator
#
Trace  4



# Clients
###
Client DEFAULT
Secret mysecret
Identifier Default
/Client




# AuthBy's
###
AuthLog FILE
  Identifier LoginLog
  Filename %L/loginlog.txt
  LogSuccess 1
  LogFailure 1
  SuccessFormat %l:Client-ip=%c:NAS-ip=%N:%U:OK
  FailureFormat %l:Client-ip=%c:NAS-ip=%N:%U:FAIL:%1
/AuthLog



# Handlers
###
Handler Client-Identifier = Default
AuthByPolicy ContinueWhileAccept

# Use /etc/pam.d/login as default
# PAM is configured as Kerberos client
AuthBy PAM
Service login
/AuthBy

# Checker via script group membership
#
AuthBy GROUP
  AuthByPolicy ContinueUntilAccept

  # Member of Network ?
  AuthBy EXTERNAL
  Command %D/chgrp.sh network %u
  AddToReply Service-Type = Administrative
  /AuthBy

  # Member of operations ? 
  AuthBy EXTERNAL
  Command %D/chgrp.sh operations %u
  AddToReply Service-Type = NAS-Prompt-User
  /AuthBy

/AuthBy

# Log accounting to a detail file
AcctLogFileName %L/detail
AuthLog LoginLog
/Handler

**

***
chgrp.sh

#!/bin/bash
#
# 25/3-03 PEL
#
# Syntax : chgrp.sh groupname username
#
if grep $1 /etc/group | grep $2  /dev/null; then
# echo user $2 is in group $1 
exit 0
else
# echo Error
exit 1
fi



logfile

Wed Apr 2 10:22:37 2003: DEBUG: Packet dump:
*** Received from 10.165.18.49 port 4457 
Code:Access-Request
Identifier: 217
Authentic: 1234567890123456
Attributes:
User-Name = dmdpel
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = 123456789
Calling-Station-Id = 987654321
NAS-Port-Type = Async
User-Password = 14525412012021e14618889160216}x153

Wed Apr 2 10:22:37 2003: DEBUG: Handling request with Handler 'Client-Identifier = Default'
Wed Apr 2 10:22:37 2003: DEBUG: Deleting session for dmdpel, 203.63.154.1, 1234
Wed Apr 2 10:22:37 2003: DEBUG: Handling with PAM service login
Wed Apr 2 10:22:37 2003: DEBUG: PAM is asking for 1: 'Password'
Wed Apr 2 10:22:38 2003: DEBUG: 

(RADIATOR) Problem with AuthBy EXTERNAL

[Richi Plana]

Hi,

I originally wrote this email with the software author as the intended
recepient, but then I read the Terms of Support (which to say is none), so
I'm posting here:

Because of certain requirements, we need to use AuthBy EXTERNAL to
authenticate our users. Each time I try, however, the Radius client simply
times out. We know the external program gets executed, but Radiator can't
seem to "see" the external program's reply.

We're running Radiator on a Sparc/Solaris 2.6 system. We tried using the
ff. test programs:

external.c:

#include stdio.h
#include stdlib.h
int main(int argc, char argv[]) {
printf("\tUser-Service-Type = Framed-User\n");
printf("\tFramed-Protocol= PPP\n");
exit(0);
}

and external.pl:

#!/opt/perl/bin/perl -w
open LOG, "/opt/Radiator/log/external.log" || exit 1;
while (STDIN) {
print LOG $_;
}
close LOG;
print "\tUser-Service-Type = Framed-User\n".
   "\tFramed-Protocol= PPP\n";
exit 0;

Both programs get executed, but the clients just Times out. In
AuthEXTERNAL.pm, in sub handle_request, after waitpid, I get $? = -1 (and
$result = $?  8 = 16777215). I am positive that the external program
gets executed.

Hope someone can help.


L   L Richi Plana 8^) ,-,-. ,-,-. ,-,-. ,-,-. ,-
LL LL Systems Administrator  / / \ \   / / \ \   / / \ \   / / \ \   / /
L Mosaic Communications, Inc. \ \ / /   \ \ / /   \ \ / /   \ \ / / 
L mailto:[EMAIL PROTECTED] `-'-' `-'-' `-'-' `-'-'  
--PGP key http://www2.mozcom.com/~richip/richip.asc 



===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.