No subject
Tue Jun 24 01:21:43 CDT 2008
6.4.31 User
On Unix, this optional parameter sets the effective user ID (UID) that=20
radiusd will run
as, provided radiusd starts as a suitably priveleged user (usually as=20
root). The value can
be a valid Unix user name or an integer UID.
6.4.32 Group
On Unix, this optional parameter sets the effective group ID (GID) that=20
radiusd will run
as, provided radiusd starts as a suitably priveleged user (usually as=20
root). The value can
be a valid Unix group name or an integer GID.
.......................................
Q1: What do you mean by "a suitably priveleged user (usually as root)" ??
I'v done this
1. created a user called "radiator" and a group called "radiator"=20
2. changed /etc/radiator and all files within to be owned by=20
user=3Dradiator group=3Dradiator
3. changed /var/log/radius and all files within to be owned by=20
user=3Dradiator group=3Dradiator
The problem occurs when calling an external script located in=20
/etc/radiator
***********************************
radius.cfg
***********************************
################################################
### 24/3-03 PEL
### Radius.cfg jumphost der anvender PAM
################################################
# Foreground
# LogStdout
#
######################
User radiator
Group radiator
# User root
# Group root
######################
AuthPort 1645
AcctPort 1646
#
LogDir /var/log/radius
LogFile /var/log/radius/logfile.txt
DbDir /etc/radiator
#
Trace 4
################################################
# Clients
###############################################
<Client DEFAULT>
Secret mysecret
Identifier Default
</Client>
################################################
# AuthBy's
###############################################
<AuthLog FILE>
Identifier LoginLog
Filename %L/loginlog.txt
LogSuccess 1
LogFailure 1
SuccessFormat %l:Client-ip=3D%c:NAS-ip=3D%N:%U:OK
FailureFormat %l:Client-ip=3D%c:NAS-ip=3D%N:%U:FAIL:%1
</AuthLog>
################################################
# Handlers
###############################################
<Handler Client-Identifier =3D Default>
AuthByPolicy ContinueWhileAccept
# Use /etc/pam.d/login as default
# PAM is configured as Kerberos client
<AuthBy PAM>
Service login
</AuthBy>
# Checker via script group membership
#
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
# Member of Network ?
<AuthBy EXTERNAL>
Command %D/chgrp.sh network %u
AddToReply Service-Type =3D Administrative
</AuthBy>
# Member of operations ?=20
<AuthBy EXTERNAL>
Command %D/chgrp.sh operations %u
AddToReply Service-Type =3D NAS-Prompt-User
</AuthBy>
</AuthBy>
# Log accounting to a detail file
AcctLogFileName %L/detail
AuthLog LoginLog
</Handler>
******************************************************
***********
chgrp.sh
************
#!/bin/bash
#
# 25/3-03 PEL
#
# Syntax : chgrp.sh groupname username
#
if grep $1 /etc/group | grep $2 > /dev/null; then
# echo user $2 is in group $1=20
exit 0
else
# echo Error
exit 1
fi
********************************************************************
logfile
********************************************************************
Wed Apr 2 10:22:37 2003: DEBUG: Packet dump:
*** Received from 10.165.18.49 port 4457 ....
Code: Access-Request
Identifier: 217
Authentic: 1234567890123456
Attributes:
User-Name =3D "dmdpel"
Service-Type =3D Framed-User
NAS-IP-Address =3D 203.63.154.1
NAS-Port =3D 1234
Called-Station-Id =3D "123456789"
Calling-Station-Id =3D "987654321"
NAS-Port-Type =3D Async
User-Password =3D=20
"<145><254>1<201><202>1e<146><188>8<9><160><216>}x<153>"
Wed Apr 2 10:22:37 2003: DEBUG: Handling request with Handler=20
'Client-Identifier =3D Default'
Wed Apr 2 10:22:37 2003: DEBUG: Deleting session for dmdpel,=20
203.63.154.1, 1234
Wed Apr 2 10:22:37 2003: DEBUG: Handling with PAM service login
Wed Apr 2 10:22:37 2003: DEBUG: PAM is asking for 1: 'Password'
Wed Apr 2 10:22:38 2003: DEBUG: Handling with Radius::AuthGROUP
Wed Apr 2 10:22:38 2003: DEBUG: Running command: /etc/radiator/chgrp.sh=20
netw129 dmdpel
Wed Apr 2 10:22:38 2003: DEBUG: Running command: /etc/radiator/chgrp.sh=20
nete129 dmdpel
Wed Apr 2 10:22:38 2003: DEBUG: Running command: /etc/radiator/chgrp.sh=20
pcc153 dmdpel
Wed Apr 2 10:22:38 2003: INFO: Access rejected for dmdpel: Error -1=20
running EXTERNAL command: No child processes
Wed Apr 2 10:22:38 2003: DEBUG: Packet dump:
*** Sending to 10.165.18.49 port 4457 ....
Code: Access-Reject
Identifier: 217
Authentic: 1234567890123456
Attributes:
Reply-Message =3D "Request Denied"
*****************************************************************
--=_alternative 002E7BF5C1256CFC_=
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<br><font size=3D2 face=3D"sans-serif">Hi Hugh !</font>
<br>
<br><font size=3D2 face=3D"sans-serif">I have expirenced problems when when=
running radiusd under a seperate user account.</font>
<br>
<br><font size=3D2 face=3D"sans-serif">The server is running Redhat 8.0 </f=
ont>
<br><font size=3D2 face=3D"sans-serif">The server is configured as Kerberos=
client and users are authenticated via PAM, it works fine.</font>
<br>
<br><font size=3D2 face=3D"sans-serif">The config (radius.cfg) is tes=
tet when radiusd is running as root and it works as expected.</font>
<br><font size=3D2 face=3D"sans-serif">When switching to user radiator I'm =
getting following error in logfile</font>
<br><font size=3D2 face=3D"sans-serif"> "Wed Apr 2 10:22:38=
2003: INFO: Access rejected for dmdpel: Error -1 running EXTERNAL command:=
No child processes"</font>
<br>
<br>
<br><font size=3D2 face=3D"sans-serif">I've found this in the mailing list =
archives, is this relevant ?</font>
<ul>
<li><font size=3D3 face=3D"Times New Roman"><i>To</i>: Radiator Mailinglist=
<</font><a href=3Dmailto:radiator at open.com.au><font size=3D3 color=3Dbl=
ue face=3D"Times New Roman"><u>radiator at open.com.au</u></font></a><font siz=
e=3D3 face=3D"Times New Roman">> </font>
<li><font size=3D3 face=3D"Times New Roman"><i>Subject</i>: (RADIATOR) Bug?=
changing EUID/EGID with User/Group params doesn't work </font>
<li><font size=3D3 face=3D"Times New Roman"><i>From</i>: Karl Gaissmaier &l=
t;</font><a href=3D"mailto:karl.gaissmaier at rz.uni-ulm.de"><font size=3D3 co=
lor=3Dblue face=3D"Times New Roman"><u>karl.gaissmaier at rz.uni-ulm.de</u></f=
ont></a><font size=3D3 face=3D"Times New Roman">> </font>
<li><font size=3D3 face=3D"Times New Roman"><i>Date</i>: Wed, 04 Sep 2002 1=
5:39:04 +0200 </font>
<br>
<br>
<br><font size=3D2 face=3D"sans-serif">Below I have included "radius.c=
fg", the script "chgrp.sh" and "logfile"</font>
<br>
<br><font size=3D2 face=3D"sans-serif">Do you need any further to answer my=
questions ?</font>
<br>
<br><font size=3D2 face=3D"sans-serif">Regards</font>
<br><font size=3D2 face=3D"sans-serif">Per L=FCtkemeyer</font>
<br><font size=3D2 face=3D"sans-serif">DMdata a/s</font>
<br>
<br><font size=3D2 face=3D"sans-serif">....................................=
......</font>
<br><font size=3D2 face=3D"sans-serif">From the manual :</font>
<br>
<br><font size=3D2 face=3D"sans-serif">6.4.31 User</font>
<br><font size=3D2 face=3D"sans-serif">On Unix, this optional parameter set=
s the effective user ID (UID) that radiusd will run</font>
<br><font size=3D2 face=3D"sans-serif">as, provided radiusd starts as a sui=
tably priveleged user (usually as root). The value can</font>
<br><font size=3D2 face=3D"sans-serif">be a valid Unix user name or an inte=
ger UID.</font>
<br><font size=3D2 face=3D"sans-serif">6.4.32 Group</font>
<br><font size=3D2 face=3D"sans-serif">On Unix, this optional parameter set=
s the effective group ID (GID) that radiusd will run</font>
<br><font size=3D2 face=3D"sans-serif">as, provided radiusd starts as a sui=
tably priveleged user (usually as root). The value can</font>
<br><font size=3D2 face=3D"sans-serif">be a valid Unix group name or an int=
eger GID.</font>
<br><font size=3D2 face=3D"sans-serif">....................................=
...</font>
<br><font size=3D2 face=3D"sans-serif">Q1: What do you mean by "a suit=
ably priveleged user (usually as root)" ??</font>
<br>
<br>
<br><font size=3D2 face=3D"sans-serif">I'v done this</font>
<br><font size=3D2 face=3D"sans-serif"> 1. created a user called "=
;radiator" and a group called "radiator" </font>
<br><font size=3D2 face=3D"sans-serif"> 2. changed /etc/radiator and a=
ll files within to be owned by user=3Dradiator group=3Dradiator</font>
<br><font size=3D2 face=3D"sans-serif"> 3. changed /var/log/radius and=
all files within to be owned by user=3Dradiator group=3Dradiator</font>
<br>
<br><font size=3D2 face=3D"sans-serif">The problem occurs when calling an e=
xternal script located in /etc/radiator</font>
<br>
<br>
<br>
<br>
<br><font size=3D2 face=3D"sans-serif">***********************************<=
/font>
<br><font size=3D2 face=3D"sans-serif">radius.cfg</font>
<br><font size=3D2 face=3D"sans-serif">***********************************<=
/font>
<br>
<br><font size=3D2 face=3D"sans-serif">####################################=
############</font>
<br><font size=3D2 face=3D"sans-serif">### 24/3-03 PEL</font>
<br><font size=3D2 face=3D"sans-serif">### Radius.cfg jumphost der an=
vender PAM</font>
<br><font size=3D2 face=3D"sans-serif">####################################=
############</font>
<br><font size=3D2 face=3D"sans-serif"># Foreground</font>
<br><font size=3D2 face=3D"sans-serif"># LogStdout</font>
<br><font size=3D2 face=3D"sans-serif">#</font>
<br><font size=3D2 face=3D"sans-serif">######################</font>
<br><font size=3D2 face=3D"sans-serif">User &nb=
sp; radiator</font>
<br><font size=3D2 face=3D"sans-serif">Group &n=
bsp; radiator</font>
<br><font size=3D2 face=3D"sans-serif"># User &=
nbsp; root</font>
<br><font size=3D2 face=3D"sans-serif"># Group =
root</font>
<br><font size=3D2 face=3D"sans-serif">######################</font>
<br><font size=3D2 face=3D"sans-serif">AuthPort =
1645</font>
<br><font size=3D2 face=3D"sans-serif">AcctPort =
1646</font>
<br><font size=3D2 face=3D"sans-serif">#</font>
<br><font size=3D2 face=3D"sans-serif">LogDir &=
nbsp;/var/log/radius</font>
<br><font size=3D2 face=3D"sans-serif">LogFile =
/var/log/radius/logfile.txt</font>
<br><font size=3D2 face=3D"sans-serif">DbDir &n=
bsp; /etc/radiator</font>
<br><font size=3D2 face=3D"sans-serif">#</font>
<br><font size=3D2 face=3D"sans-serif">Trace &n=
bsp; 4</font>
<br>
<br>
<br><font size=3D2 face=3D"sans-serif">####################################=
############</font>
<br><font size=3D2 face=3D"sans-serif"># Clients</font>
<br><font size=3D2 face=3D"sans-serif">####################################=
###########</font>
<br><font size=3D2 face=3D"sans-serif"><Client DEFAULT></font>
<br><font size=3D2 face=3D"sans-serif"> Secret &=
nbsp;mysecret</font>
<br><font size=3D2 face=3D"sans-serif"> Identifi=
er Default</font>
<br><font size=3D2 face=3D"sans-serif"></Client></font>
<br>
<br>
<br>
<br><font size=3D2 face=3D"sans-serif">####################################=
############</font>
<br><font size=3D2 face=3D"sans-serif"># AuthBy's</font>
<br><font size=3D2 face=3D"sans-serif">####################################=
###########</font>
<br><font size=3D2 face=3D"sans-serif"><AuthLog FILE></font>
<br><font size=3D2 face=3D"sans-serif"> Identifier LoginLog</f=
ont>
<br><font size=3D2 face=3D"sans-serif"> Filename %L/loginlog.t=
xt</font>
<br><font size=3D2 face=3D"sans-serif"> LogSuccess 1</font>
<br><font size=3D2 face=3D"sans-serif"> LogFailure 1</font>
<br><font size=3D2 face=3D"sans-serif"> SuccessFormat %l:Clien=
t-ip=3D%c:NAS-ip=3D%N:%U:OK</font>
<br><font size=3D2 face=3D"sans-serif"> FailureFormat %l:Clien=
t-ip=3D%c:NAS-ip=3D%N:%U:FAIL:%1</font>
<br><font size=3D2 face=3D"sans-serif"></AuthLog></font>
<br>
<br>
<br><font size=3D2 face=3D"sans-serif">####################################=
############</font>
<br><font size=3D2 face=3D"sans-serif"># Handlers</font>
<br><font size=3D2 face=3D"sans-serif">####################################=
###########</font>
<br><font size=3D2 face=3D"sans-serif"><Handler Client-Identifier =3D De=
fault></font>
<br><font size=3D2 face=3D"sans-serif"> AuthByPo=
licy ContinueWhileAccept</font>
<br>
<br><font size=3D2 face=3D"sans-serif"> # Use /e=
tc/pam.d/login as default</font>
<br><font size=3D2 face=3D"sans-serif"> # PAM is=
configured as Kerberos client</font>
<br><font size=3D2 face=3D"sans-serif"> <Auth=
By PAM></font>
<br><font size=3D2 face=3D"sans-serif"> &=
nbsp; Service login</font>
<br><font size=3D2 face=3D"sans-serif"> </Aut=
hBy></font>
<br>
<br><font size=3D2 face=3D"sans-serif"> # Checke=
r via script group membership</font>
<br><font size=3D2 face=3D"sans-serif"> #</font>
<br><font size=3D2 face=3D"sans-serif"> <Auth=
By GROUP></font>
<br><font size=3D2 face=3D"sans-serif"> &=
nbsp; AuthByPolicy ContinueUntilAccept</font>
<br>
<br><font size=3D2 face=3D"sans-serif"> &=
nbsp; # Member of Network ?</font>
<br><font size=3D2 face=3D"sans-serif"> &=
nbsp; <AuthBy EXTERNAL></font>
<br><font size=3D2 face=3D"sans-serif"> &=
nbsp; Command %D/chgrp.sh network %u</font>
<br><font size=3D2 face=3D"sans-serif"> &=
nbsp; AddToReply Service-Type =3D Administrativ=
e</font>
<br><font size=3D2 face=3D"sans-serif"> &=
nbsp; </AuthBy></font>
<br>
<br><font size=3D2 face=3D"sans-serif"> &=
nbsp; # Member of operations ? </font>
<br><font size=3D2 face=3D"sans-serif"> &=
nbsp; <AuthBy EXTERNAL></font>
<br><font size=3D2 face=3D"sans-serif"> &=
nbsp; Command %D/chgrp.sh operations %u</font>
<br><font size=3D2 face=3D"sans-serif"> &=
nbsp; AddToReply Service-Type =3D NAS-Prompt-Us=
er</font>
<br><font size=3D2 face=3D"sans-serif"> &=
nbsp; </AuthBy></font>
<br>
<br><font size=3D2 face=3D"sans-serif"> </Aut=
hBy></font>
<br>
<br><font size=3D2 face=3D"sans-serif"> # Log ac=
counting to a detail file</font>
<br><font size=3D2 face=3D"sans-serif"> AcctLogF=
ileName %L/detail</font>
<br><font size=3D2 face=3D"sans-serif"> AuthLog =
LoginLog</font>
<br><font size=3D2 face=3D"sans-serif"></Handler></font>
<br>
<br><font size=3D2 face=3D"sans-serif">************************************=
******************</font>
<br>
<br><font size=3D2 face=3D"sans-serif">***********</font>
<br><font size=3D2 face=3D"sans-serif">chgrp.sh</font>
<br><font size=3D2 face=3D"sans-serif">************</font>
<br><font size=3D2 face=3D"sans-serif">#!/bin/bash</font>
<br><font size=3D2 face=3D"sans-serif">#</font>
<br><font size=3D2 face=3D"sans-serif"># 25/3-03 PEL</font>
<br><font size=3D2 face=3D"sans-serif">#</font>
<br><font size=3D2 face=3D"sans-serif"># Syntax : chgrp.sh groupname =
username</font>
<br><font size=3D2 face=3D"sans-serif">#</font>
<br><font size=3D2 face=3D"sans-serif">if grep $1 /etc/group | grep $2 >=
/dev/null; then</font>
<br><font size=3D2 face=3D"sans-serif"> # echo u=
ser $2 is in group $1 </font>
<br><font size=3D2 face=3D"sans-serif"> exit 0</=
font>
<br><font size=3D2 face=3D"sans-serif">else</font>
<br><font size=3D2 face=3D"sans-serif"> # echo E=
rror</font>
<br><font size=3D2 face=3D"sans-serif"> exit 1</=
font>
<br><font size=3D2 face=3D"sans-serif">fi</font>
<br>
<br>
<br><font size=3D2 face=3D"sans-serif">************************************=
********************************</font>
<br><font size=3D2 face=3D"sans-serif">logfile</font>
<br><font size=3D2 face=3D"sans-serif">************************************=
********************************</font>
<br><font size=3D2 face=3D"sans-serif">Wed Apr 2 10:22:37 2003: DEBUG=
: Packet dump:</font>
<br><font size=3D2 face=3D"sans-serif">*** Received from 10.165.18.49 port =
4457 ....</font>
<br><font size=3D2 face=3D"sans-serif">Code: Access-Re=
quest</font>
<br><font size=3D2 face=3D"sans-serif">Identifier: 217</font>
<br><font size=3D2 face=3D"sans-serif">Authentic: 1234567890123456</f=
ont>
<br><font size=3D2 face=3D"sans-serif">Attributes:</font>
<br><font size=3D2 face=3D"sans-serif"> User-Nam=
e =3D "dmdpel"</font>
<br><font size=3D2 face=3D"sans-serif"> Service-=
Type =3D Framed-User</font>
<br><font size=3D2 face=3D"sans-serif"> NAS-IP-A=
ddress =3D 203.63.154.1</font>
<br><font size=3D2 face=3D"sans-serif"> NAS-Port=
=3D 1234</font>
<br><font size=3D2 face=3D"sans-serif"> Called-S=
tation-Id =3D "123456789"</font>
<br><font size=3D2 face=3D"sans-serif"> Calling-=
Station-Id =3D "987654321"</font>
<br><font size=3D2 face=3D"sans-serif"> NAS-Port=
-Type =3D Async</font>
<br><font size=3D2 face=3D"sans-serif"> User-Pas=
sword =3D "<145><254>1<201><202>1e<146>&=
lt;188>8<9><160><216>}x<153>"</font>
<br>
<br><font size=3D2 face=3D"sans-serif">Wed Apr 2 10:22:37 2003: DEBUG=
: Handling request with Handler 'Client-Identifier =3D Default'</font>
<br><font size=3D2 face=3D"sans-serif">Wed Apr 2 10:22:37 2003: DEBUG=
: Deleting session for dmdpel, 203.63.154.1, 1234</font>
<br><font size=3D2 face=3D"sans-serif">Wed Apr 2 10:22:37 2003: DEBUG=
: Handling with PAM service login</font>
<br><font size=3D2 face=3D"sans-serif">Wed Apr 2 10:22:37 2003: DEBUG=
: PAM is asking for 1: 'Password'</font>
<br><font size=3D2 face=3D"sans-serif">Wed Apr 2 10:22:38 2003: DEBUG=
: Handling with Radius::AuthGROUP</font>
<br><font size=3D2 face=3D"sans-serif">Wed Apr 2 10:22:38 2003: DEBUG=
: Running command: /etc/radiator/chgrp.sh netw129 dmdpel</font>
<br><font size=3D2 face=3D"sans-serif">Wed Apr 2 10:22:38 2003: DEBUG=
: Running command: /etc/radiator/chgrp.sh nete129 dmdpel</font>
<br><font size=3D2 face=3D"sans-serif">Wed Apr 2 10:22:38 2003: DEBUG=
: Running command: /etc/radiator/chgrp.sh pcc153 dmdpel</font>
<br><font size=3D2 face=3D"sans-serif"><b>Wed Apr 2 10:22:38 2003: IN=
FO: Access rejected for dmdpel: Error -1 running EXTERNAL command: No child=
processes</b></font>
<br><font size=3D2 face=3D"sans-serif">Wed Apr 2 10:22:38 2003: DEBUG=
: Packet dump:</font>
<br><font size=3D2 face=3D"sans-serif">*** Sending to 10.165.18.49 port 445=
7 ....</font>
<br><font size=3D2 face=3D"sans-serif">Code: Access-Re=
ject</font>
<br><font size=3D2 face=3D"sans-serif">Identifier: 217</font>
<br><font size=3D2 face=3D"sans-serif">Authentic: 1234567890123456</f=
ont>
<br><font size=3D2 face=3D"sans-serif">Attributes:</font>
<br><font size=3D2 face=3D"sans-serif"> Reply-Me=
ssage =3D "Request Denied"</font>
<br><font size=3D2 face=3D"sans-serif">************************************=
*****************************</font>
<br></ul>
--=_alternative 002E7BF5C1256CFC_=--
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list