On Wed, 12 Nov 2003 12:40, Matt Zimmerman wrote: > The only reason I can think of for running a RADIUS server as root would be > to authenticate against UNIX passwords or such, which is a pretty bad idea > anyway. They should all run as non-root.
Allowing a RADIUS server to authenticate local users against /etc/shadow is standard and expected functionality IMHO. I consider any RADIUS server which can't authenticate against the local accounts database to be severely broken. This does not necessarily have to require root access. The unix_chkpwd helper program for the pam_unix.so module allows checking a password for an account with the current UID. Giving all local accounts for the RADIUS server the same UID as the RADIUS server won't work for several reasons (including the fact that the unix_chkpwd helper has broken checks which fail when two accounts have the same UID). One possible solution to this is to have a special GID for non-root programs which are allowed to check passwords. I would be happy to code this if someone else wants to do the testing... Another issue that has to be addressed is the unix_acct code (checking for accounts with expired passwords). I've already written a helper for that. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page