Discussion:
Unable to start RADIUS (Permissions)
Smith, James
2017-11-15 17:15:51 UTC
Permalink
Hello,
I've attached output from a radius -X command in a text file to provide more information as to what's going on.

I'm receiving the following error:
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
Unable to open file "/etc/raddb/mods-config/files/authorize": Permission denied
}
/etc/raddb/mods-enabled/files[9]: Invalid configuration for module "files"

For /etc/raddb/mods-config/files/authorize I tried to make the permissions r-w-x for root and radius group and read for all other users... so 774 but I'm not having any luck getting radius to start. When I try to give full permission for testing (777), I get the same error.

I also tried to change /etc/raddb/mods-available/files to 777 just to test and I receive the following:

Configuration file /etc/raddb/mods-enabled/files is globally writable. Refusing to start due to insecure configuration.
Errors reading or parsing /etc/raddb/radiusd.conf

Makes sense since it's insecure.

Hopefully there is enough information to pin point what's actually going on.

Thanks,
Jim

This message is intended only for the addressee and may contain information that is company confidential or privileged. Any technical data in this message may be exported only in accordance with the U.S. International Traffic in Arms Regulations (22 CFR Parts 120-130) or the Export Administration Regulations (15 CFR Parts 730-774). Unauthorized use is strictly prohibited and may be unlawful. If you are not the intended recipient, or the person responsible for delivering to the intended recipient, you should not read, copy, disclose or otherwise use this message. If you have received this email in error, please delete it, and advise the sender immediately.
Alan Buxey
2017-11-15 17:24:24 UTC
Permalink
Hi

Just ensure that all the files are readable by the user the Daemon runs as
- radiusd?

alan
Post by Smith, James
Hello,
I've attached output from a radius -X command in a text file to provide
more information as to what's going on.
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
Unable to open file "/etc/raddb/mods-config/files/authorize": Permission denied
}
/etc/raddb/mods-enabled/files[9]: Invalid configuration for module "files"
For /etc/raddb/mods-config/files/authorize I tried to make the
permissions r-w-x for root and radius group and read for all other users...
so 774 but I'm not having any luck getting radius to start. When I try to
give full permission for testing (777), I get the same error.
I also tried to change /etc/raddb/mods-available/files to 777 just to
Configuration file /etc/raddb/mods-enabled/files is globally writable.
Refusing to start due to insecure configuration.
Errors reading or parsing /etc/raddb/radiusd.conf
Makes sense since it's insecure.
Hopefully there is enough information to pin point what's actually going on.
Thanks,
Jim
This message is intended only for the addressee and may contain
information that is company confidential or privileged. Any technical data
in this message may be exported only in accordance with the U.S.
International Traffic in Arms Regulations (22 CFR Parts 120-130) or the
Export Administration Regulations (15 CFR Parts 730-774). Unauthorized use
is strictly prohibited and may be unlawful. If you are not the intended
recipient, or the person responsible for delivering to the intended
recipient, you should not read, copy, disclose or otherwise use this
message. If you have received this email in error, please delete it, and
advise the sender immediately.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
list/users.html
-
List info/subscribe/uns
Smith, James
2017-11-15 17:49:02 UTC
Permalink
Thanks Alan.

I'm logged in as root and am starting radius as root. Root has read permissions to everything.

/etc/raddb/mods-config/files
-rwxrwxr-- 1 root radiusd 9656 Nov 15 16:03 authorize

Jim
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+james.smith=***@lists.freeradius.org] On Behalf Of Alan Buxey
Sent: Wednesday, November 15, 2017 12:26 PM
To: FreeRadius users mailing list <freeradius-***@lists.freeradius.org>
Subject: Re: Unable to start RADIUS (Permissions)

Hi

Just ensure that all the files are readable by the user the Daemon runs as
- radiusd?

alan
Post by Smith, James
Hello,
I've attached output from a radius -X command in a text file to
provide more information as to what's going on.
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
Permission denied
}
/etc/raddb/mods-enabled/files[9]: Invalid configuration for module "files"
For /etc/raddb/mods-config/files/authorize I tried to make the
permissions r-w-x for root and radius group and read for all other users...
so 774 but I'm not having any luck getting radius to start. When I try
to give full permission for testing (777), I get the same error.
I also tried to change /etc/raddb/mods-available/files to 777 just to
Configuration file /etc/raddb/mods-enabled/files is globally writable.
Refusing to start due to insecure configuration.
Errors reading or parsing /etc/raddb/radiusd.conf
Makes sense since it's insecure.
Hopefully there is enough information to pin point what's actually going on.
Thanks,
Jim
This message is intended only for the addressee and may contain
information that is company confidential or privileged. Any technical
data in this message may be exported only in accordance with the U.S.
International Traffic in Arms Regulations (22 CFR Parts 120-130) or
the Export Administration Regulations (15 CFR Parts 730-774).
Unauthorized use is strictly prohibited and may be unlawful. If you
are not the intended recipient, or the person responsible for
delivering to the intended recipient, you should not read, copy,
disclose or otherwise use this message. If you have received this
email in error, please delete it, and advise the sender immediately.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
This message is intended only for the addressee and may contain information that is company confidential or privileged. Any technical data in this message may be exported only in accordance with the U.S. International Traffic in Arms Regulations (22 CFR Parts 120-130) or the Export Administration Regulations (15 CFR Parts 730-774). Unauthorized use is strictly prohibited and may be unlawful. If you are not the intended recipient, or the person responsible for delivering to the intended recipient, you should not read, copy, disclose or otherwise use this message. If you have received this email in error, please delete it, and advise the sender immediately.
-

-
List info/subscribe/unsubscribe
Adam Bishop
2017-11-15 21:33:29 UTC
Permalink
Post by Smith, James
/etc/raddb/mods-config/files
-rwxrwxr-- 1 root radiusd 9656 Nov 15 16:03 authorize
I'd be incredibly surprised if FreeRADIUS was at fault; it should be easy enough to confirm with strace -Ff though. Look for /etc/raddb/mods-config/files/config in the output, and verify that the call to open the file is issued correctly.

As you're running a Red Hat derived system, my money would be on SELinux blocking access to the file.

You can confirm this by installing policycoreutils-python, and running "audit2allow -a -w". Most likely cause would be that the file is mislabelled (ls -alZ will show you the labels).

Regards,

Adam Bishop

gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.


-
List info/subscribe/unsubscribe? See http://www.fr
Nathan Ward
2017-11-16 00:56:34 UTC
Permalink
Post by Adam Bishop
Post by Smith, James
/etc/raddb/mods-config/files
-rwxrwxr-- 1 root radiusd 9656 Nov 15 16:03 authorize
I'd be incredibly surprised if FreeRADIUS was at fault; it should be easy enough to confirm with strace -Ff though. Look for /etc/raddb/mods-config/files/config in the output, and verify that the call to open the file is issued correctly.
As you're running a Red Hat derived system, my money would be on SELinux blocking access to the file.
You can confirm this by installing policycoreutils-python, and running "audit2allow -a -w". Most likely cause would be that the file is mislabelled (ls -alZ will show you the labels).
Nope, not selinux.

I note that the debug output has:
<snip>
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
}
</snip>

switch_users appears to be called relatively early in the config parser, looks like right after that section of the config is parsed/printed in the debug, so check what permissions the radius user has for those files.

--
Nathan Ward
-
List info/subscribe/uns
Smith, James
2017-11-17 15:21:16 UTC
Permalink
Hi Alan,
Thank you for the reply. You guys were all correct in that it was a OS problem. I found out that some permissions at a higher lever were changed and that looks to be what was causing the problem. There must have been files in a location other than /etc/raddb that had their permissions changed and it was preventing the radiusd user from accessing what it needed.

Thanks for the insight and help.
Jim

-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+james.smith=***@lists.freeradius.org] On Behalf Of Alan Buxey
Sent: Wednesday, November 15, 2017 12:26 PM
To: FreeRadius users mailing list <freeradius-***@lists.freeradius.org>
Subject: Re: Unable to start RADIUS (Permissions)

Hi

Just ensure that all the files are readable by the user the Daemon runs as
- radiusd?

alan
Post by Smith, James
Hello,
I've attached output from a radius -X command in a text file to
provide more information as to what's going on.
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
Permission denied
}
/etc/raddb/mods-enabled/files[9]: Invalid configuration for module "files"
For /etc/raddb/mods-config/files/authorize I tried to make the
permissions r-w-x for root and radius group and read for all other users...
so 774 but I'm not having any luck getting radius to start. When I try
to give full permission for testing (777), I get the same error.
I also tried to change /etc/raddb/mods-available/files to 777 just to
Configuration file /etc/raddb/mods-enabled/files is globally writable.
Refusing to start due to insecure configuration.
Errors reading or parsing /etc/raddb/radiusd.conf
Makes sense since it's insecure.
Hopefully there is enough information to pin point what's actually going on.
Thanks,
Jim
This message is intended only for the addressee and may contain
information that is company confidential or privileged. Any technical
data in this message may be exported only in accordance with the U.S.
International Traffic in Arms Regulations (22 CFR Parts 120-130) or
the Export Administration Regulations (15 CFR Parts 730-774).
Unauthorized use is strictly prohibited and may be unlawful. If you
are not the intended recipient, or the person responsible for
delivering to the intended recipient, you should not read, copy,
disclose or otherwise use this message. If you have received this
email in error, please delete it, and advise the sender immediately.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
This message is intended only for the addressee and may contain information that is company confidential or privileged. Any technical data in this message may be exported only in accordance with the U.S. International Traffic in Arms Regulations (22 CFR Parts 120-130) or the Export Administration Regulations (15 CFR Parts 730-774). Unauthorized use is strictly prohibited and may be unlawful. If you are not the intended recipient, or the person responsible for delivering to the intended recipient, you should not read, copy, disclose or otherwise use this message. If you have received this email in error, please delete it, and advise the sender immediately.
-

-
List info/subscribe/unsubscribe? See http://

Alan DeKok
2017-11-15 19:09:49 UTC
Permalink
Post by Smith, James
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
Unable to open file "/etc/raddb/mods-config/files/authorize": Permission denied
}
/etc/raddb/mods-enabled/files[9]: Invalid configuration for module "files"
For /etc/raddb/mods-config/files/authorize I tried to make the permissions r-w-x for root and radius group and read for all other users... so 774 but I'm not having any luck getting radius to start. When I try to give full permission for testing (777), I get the same error.
Then it's not a FreeRADIUS problem.

If the OS says that FR doesn't have permission to read the files, then the permissions are wrong. No amount of poking FR will fix the OS.
Post by Smith, James
Hopefully there is enough information to pin point what's actually going on.
What OS are you using?

The default install of FreeRADIUS works on Linux (all variants), *BSD, OSX, etc. So I'm not sure what else is going wrong here.

But it looks like something on your OS, and nothing to do with FreeRADIUS.

Alan DeKok.


-
List info/subscribe/unsubscribe?
Continue reading on narkive:
Loading...