Created attachment 617352 [details] Emerge info for freeradius When installing freeradius on a systemd system, files in /etc/raddb and /etc/raddb itself are owned by root, but radiusd runs as the radius user. This means that the user must change the directory permissions manually in order to get radiusd to start successfully. Ideally, /etc/raddb should be owned by the radius user.
Portage 2.3.84 (python 3.6.10-final-0, default/linux/amd64/17.1/systemd, gcc-9.2.0, glibc-2.29-r7, 4.19.86-gentoo x86_64) ================================================================= System uname: Linux-4.19.86-gentoo-x86_64-Intel-R-_Core-TM-_i7-7700_CPU_@_3.60GHz-with-gentoo-2.6 KiB Mem: 16295116 total, 142632 free KiB Swap: 0 total, 0 free Timestamp of repository gentoo: Wed, 26 Feb 2020 01:00:01 +0000 Head commit of repository gentoo: 2617080572810f10927397a0a28bdcb2f1f8e5b4 Timestamp of repository dotnet: Tue, 25 Feb 2020 08:10:58 +0000 Head commit of repository dotnet: 2d929cfbf5b6d70419776bd38b7fc34633829ae9 Timestamp of repository haskell: Mon, 24 Feb 2020 03:05:37 +0000 Head commit of repository haskell: 143e56d514f7fccb5ac3c8f969bf496bac4e6a23 sh bash 4.4_p23-r1 ld GNU ld (Gentoo 2.32 p2) 2.32.0 app-shells/bash: 4.4_p23-r1::gentoo dev-java/java-config: 2.2.0-r4::gentoo dev-lang/perl: 5.30.1::gentoo dev-lang/python: 2.7.17-r1::gentoo, 3.6.10::gentoo, 3.7.6::gentoo, 3.9.0_alpha2::gentoo dev-util/cmake: 3.14.6::gentoo sys-apps/baselayout: 2.6-r1::gentoo sys-apps/sandbox: 2.13::gentoo sys-devel/autoconf: 2.13-r1::gentoo, 2.69-r4::gentoo sys-devel/automake: 1.16.1-r1::gentoo sys-devel/binutils: 2.32-r1::gentoo sys-devel/gcc: 9.2.0-r2::gentoo sys-devel/gcc-config: 2.2::gentoo sys-devel/libtool: 2.4.6-r6::gentoo sys-devel/make: 4.2.1-r4::gentoo sys-kernel/linux-headers: 4.19::gentoo (virtual/os-headers) sys-libs/glibc: 2.29-r7::gentoo Repositories: gentoo location: /var/db/repos/gentoo sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 sync-rsync-extra-opts: sync-rsync-verify-jobs: 1 sync-rsync-verify-metamanifest: yes sync-rsync-verify-max-age: 24 dotnet location: /var/db/repos/dotnet sync-type: git sync-uri: https://github.com/gentoo-mirror/dotnet.git masters: gentoo haskell location: /var/db/repos/haskell sync-type: git sync-uri: https://github.com/gentoo-mirror/haskell.git masters: gentoo localrepo location: /var/db/repos/localrepo masters: gentoo meshpp-private-overlay location: /var/db/repos/meshpp-private-overlay masters: gentoo 4nykey location: /var/lib/layman/4nykey masters: gentoo priority: 50 Installed sets: @openwrt-prerequisites ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="@FREE" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /usr/share/maven-bin-3.6/conf" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php7.4/ext-active/ /etc/php/cgi-php7.4/ext-active/ /etc/php/cli-php7.4/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe" DISTDIR="/var/cache/distfiles" EMERGE_DEFAULT_OPTS="--quiet-build" ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="C.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j7" PKGDIR="/var/cache/binpkgs" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="X acl amd64 berkdb bzip2 cli crypt cxx dbus dri fortran gdbm iconv ipv6 libtirpc multilib ncurses networkmanager nls nptl openmp pam pcre python readline seccomp spl split-usr ssl systemd tcpd tools udev unicode xattr xcb zlib" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python2_7 python3_6" RUBY_TARGETS="ruby24 ruby25" USERLAND="GNU" VIDEO_CARDS="intel i965" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Hi, thanks for the report and sorry for the delay. Yeah, probably the issue is the result of the activity required for drop the security issue related with the use of: https://github.com/gentoo/gentoo/blob/master/net-dialup/freeradius/freeradius-3.0.18-r1.ebuild#L213 fowners -R. I will try to fix every single file with a for because without the use of fowners is a bit hard. I confirm the issue. Thanks for the report. Daniele
Still a problem. To be frank, no version of freeradius has worked for me in Gentoo since 3.0.15. I fear that I'm going to have to take over maintenance for it to ever work...
i had to change ownership from root to radius for numerous files in /etc/raddb/mods-config so radius would start...
Yeah, the only issue here is that for security reason I dropped fowner radius:radius -R /etc/radius So, it's needed to add in the ebuild an iteration for every files under /etc/radius for change owner. I will try to fix this in the next days. Sorry, few free time for covid19 issues. Regards, - geaaru
Regarding security ... my files in /etc/raddb are root:raidus and group readable. Since the radiusd runs as user radius that should be just open enough IMHO.
I have about 10 installation in production without issues. It's needed only to execute this: chown radius:radius -R /etc/raddb So, just for to understand what is the issue: 1.Can you check this and share what is the error returned to you with -Xx options? Just add: Environment=RADIUSD_OPTIONS="-XX" in Systemd override file. 2. Do you use systemd or not? 3. Have you enable systemd use flag with the Systemd keepalive integration? Let me know. Thanks
sorry, errata corridge: -Xx
(In reply to Geaaru from comment #7) > I have about 10 installation in production without issues. > > It's needed only to execute this: > > chown radius:radius -R /etc/raddb Reading my comment again I was not clear: I'm running chgrp -R radius /etc/raddb to keep the files owned by root and radius only having read access to them. I don't run systemd, it's all openrc.
Permissions root:radius aren't correctly for a lot of configurations of FreeRadius, for example for the creation of radwtmp or in other modules. Please, can you post your errors with -Xx options and what are the use flags enable on compile FreeRadius? Why you are with openrc and you use a systemd profile (I see it at the begin of the emerge --info post)? IIRC that profile enable systemd use flag by default and this means that FreeRadius could be compiled with systemd integration. I can't help you if I can't see what is the errors reported by FreeRadius.
Sorry, I see now attached emerge info for the use flags and yes is enabled systemd use flag. Try to compile it with -systemd.
(In reply to Geaaru from comment #11) > Sorry, I see now attached emerge info for the use flags and yes is enabled > systemd use flag. > > Try to compile it with -systemd. Note than I'm not the same user who posted their emerge --info. My setup doesn't have systemd enabled. Here are my use flags: [ebuild R ] net-dialup/freeradius-3.0.20::gentoo USE="ldap pam python readline samba ssl -debug (-firebird) -iodbc -kerberos -libressl -memcached -mongodb -mysql -odbc -oracle -pcap -postgres -redis -rest -sqlite -systemd" PYTHON_SINGLE_TARGET="python3_6 -python3_7 (-python3_8)" 0 KiB
@Dirk Olmes Please post the output of the debug info of the FreeRadius (options -Xx) on bootstrap phase. Thanks.
Created attachment 638504 [details] output of /usr/sbin/radiusd -Xx
It seems clear that is a permissions issue like I wrote. Wed May 13 08:03:32 2020 : Error: Unable to check file "/etc/raddb/mods-config/preprocess/huntgroups": Permission denied Wed May 13 08:03:32 2020 : Error: /etc/raddb/mods-enabled/preprocess[13]: Failed parsing configuration item "huntgroups" Wed May 13 08:03:32 2020 : Error: /etc/raddb/mods-enabled/preprocess[13]: Invalid configuration for module "preprocess" Can you try to execute: # ls -l /etc/raddb/mods-enabled/ (post the output here) # chown radius:radius -R /etc/raddb and start again freeradius service? Thanks
So, the problem is that FreeRadius drops root capabilities before reading the the config files and certs. Because of this, they all need to be at least group readable to the guid FreeRadius is running as, which is "radius". We already have the following code in the build file: fowners root:radius "${ROOT}"/etc/raddb/certs fowners root:radius "${ROOT}"/etc/raddb/certs/ca.pem fowners root:radius "${ROOT}"/etc/raddb/certs/server.{key,crt,pem} I wonder if we can just do thi for the whole /etc/raddb tree? fowners -R root:radius "${ROOT}"/etc/raddb
Unfortunately, not. Some ebuild ago it was configured with: fowner -R but I received a feedback from security group that is not correct. So the solution is try to set right permissions to single files. I will try in the next days to push a fix. Thanks for the support and sorry for delay on my reply. Few time for everything in the last period for covid problems.
What is wrong with "fowner -R root:radius" for *config* files that are 640?
Discussion is here: https://github.com/gentoo/gentoo/pull/13463#discussion_r352303093 and the blog here: http://michael.orlitzky.com/articles/end_root_chowning_now_%28make_pkg_postinst_great_again%29.xhtml
What would be wrong with calling this in src_install? I 100% agree that ebuilds should not doing things on a live filesystem unless required, especially changing permissions, but src_install should be safe and correct place to make sure all these files that we are about to install are root:radius, not root:root, no? I tried this with -B and I ended up with a correctly looking tbz2 file /var/cache/binpkgs/ drwxr-xr-x root/root 0 2020-08-31 00:49 ./ drwxr-xr-x root/root 0 2020-08-31 00:49 ./etc/ drwxr-xr-x root/root 0 2020-08-31 00:49 ./etc/init.d/ -rwxr-xr-x root/root 734 2020-08-31 00:49 ./etc/init.d/radiusd drwxr-x--- root/radius 0 2020-08-31 00:49 ./etc/raddb/ drwxr-x--- root/radius 0 2020-08-31 00:49 ./etc/raddb/policy.d/ -rw-r----- root/radius 8201 2020-08-31 00:49 ./etc/raddb/policy.d/moonshot-targeted-ids -rw-r----- root/radius 1320 2020-08-31 00:49 ./etc/raddb/policy.d/eap -rw-r----- root/radius 1323 2020-08-31 00:49 ./etc/raddb/policy.d/operator-name -rw-r----- root/radius 4746 2020-08-31 00:49 ./etc/raddb/policy.d/filter -rw-r----- root/radius 2703 2020-08-31 00:49 ./etc/raddb/policy.d/canonicalization (...) -rw-r----- root/radius 20807 2020-08-31 00:49 ./etc/raddb/README.rst To compare, this is what the current ebuild produces: drwxr-xr-x root/root 0 2020-08-31 00:59 ./ drwxr-xr-x root/root 0 2020-08-31 00:59 ./etc/ drwxr-xr-x root/root 0 2020-08-31 00:59 ./etc/init.d/ -rwxr-xr-x root/root 734 2020-08-31 00:59 ./etc/init.d/radiusd drwxr-x--- root/radius 0 2020-08-31 00:59 ./etc/raddb/ drwxr-x--- root/root 0 2020-08-31 00:59 ./etc/raddb/policy.d/ -rw-r----- root/root 8201 2020-08-31 00:59 ./etc/raddb/policy.d/moonshot-targeted-ids -rw-r----- root/root 1320 2020-08-31 00:59 ./etc/raddb/policy.d/eap -rw-r----- root/root 1323 2020-08-31 00:59 ./etc/raddb/policy.d/operator-name -rw-r----- root/root 4746 2020-08-31 00:59 ./etc/raddb/policy.d/filter -rw-r----- root/root 2703 2020-08-31 00:59 ./etc/raddb/policy.d/canonicalization (...) -rw-r----- root/root 20807 2020-08-31 00:59 ./etc/raddb/README.rst
Hi, sorry for delay. So, do you mean that could be correct use fowner -R at the end of the src_install function? It makes sense. I prepare the PR with this fix. Thank you for you feedback.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be67148802010c6065e170c4d1d43c3ef3967fe2 commit be67148802010c6065e170c4d1d43c3ef3967fe2 Author: Daniele Rondina <geaaru@gmail.com> AuthorDate: 2020-09-18 10:11:44 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2020-10-17 13:19:14 +0000 net-dialup/freeradius: Fix /etc/raddb permissions Package-Manager: Portage-2.3.89, Repoman-2.3.22 Signed-off-by: Daniele Rondina <geaaru@gmail.com> Closes: https://bugs.gentoo.org/711756 Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-dialup/freeradius/freeradius-3.0.20.ebuild | 5 +++++ 1 file changed, 5 insertions(+)