Marcin Jessa <[EMAIL PROTECTED]> wrote: > One more thing about this solution is you would need to either run > radiusd as root or chown radiususer:radiusgroup the radius configs > in order to be able to HUP radiusd. Radius daemon is started as > root and then switched to the unprivileged user defined in > radiusd.conf Radius will die if it gets signal HUP and the config > files are not owned by the unprivileged user.
No. It will die if it can't read the files. That's different. > Having radius configs owned by unprivileged user increases security > risk, since this will grant an attacker who manages to abuse the > server access to change the configs... Either way, sending -HUP > signal to a running radius daemon seems like a bad idea. Only if the file permissions prevent it. $ chown -R root.radiusd /etc/raddb $ chmod o+rw /etc/raddb/* $ chmod g-w /etc/raddb/* $ chmod g+r /etc/raddb/* And have the server run as user "radiusd", group "radiusd". It has read permissions to radiusd.conf, so a HUP will work. It doesn't have write permissions, so it's secure. This is what different groups & file permissions are for. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html