Radrelay and detail file permissions

[Ben Plimpton]

I have setup radius to log detail files for radrelay to use.  I think
that I followed the documentation exactly except for the name of the
detail file.

detail detail-combined {
detailfile = ${radacctdir}/detail-combined
detailperm = 0600
dirperm = 0755
locking = yes
}

accounting {
detail
detail-combined
}

FreeRadius logs to this file properly if I don't startup radrelay and
the permissions remain as I would expect they should:

-rw---  1 radiusd radiusd 1166 Mar 31 12:02 detail-combined

But when I start radrelay the permissions change:

[EMAIL PROTECTED] radacct]# radrelay -a /var/log/radius/radacct \
-d /etc/raddb -n ns2-new detail-combined

[EMAIL PROTECTED] radacct]# ls -la total 44
drwx--  9 radiusd radiusd 4096 Mar 31 12:08 .
drwx--  3 radiusd radiusd 4096 Mar 31 12:02 ..
drwxr-xr-x  2 radiusd radiusd 4096 Mar 31 11:42 127.0.0.1
drwxr-xr-x  2 radiusd radiusd 4096 Mar 17 16:17 216.17.128.39
drwxr-xr-x  2 radiusd radiusd 4096 Feb  7 00:30 216.237.65.2
drwxr-xr-x  2 radiusd radiusd 4096 Mar 31 00:00 216.237.67.198
drwxr-xr-x  2 radiusd radiusd 4096 Mar 31 09:34 216.237.67.217
drwxr-xr-x  2 radiusd radiusd 4096 Feb 14 09:49 216.237.72.66
drwxr-xr-x  2 radiusd radiusd 4096 Mar 31 10:39 216.237.77.3
-rw---  1 rootroot   0 Mar 31 12:08 detail-combined
[EMAIL PROTECTED] radacct]#

I start getting error like this in my radius.log which I would expect
with the file permissions the way they are and radiusd cannot log to the
detail file properly and as a result, radrelay cannot send the
accounting request to the remote server:

Fri Mar 31 12:11:13 2006 : Error: rlm_detail: Couldn't open
file /var/log/radius/radacct/detail-combined: Permission denied

Am I missing something with the way I am starting up radrelay?  Or are
there permissions that I need to check somewhere else?  

Should radrelay be run as user radiusd?  If so, how would I do that?

Also.  My system is running Fedora Core 4 - FreeRadius Ver 1.0.4

Any help is greatly appreciated. Thanks


-- 
Microsoft is not the answer, it's the question.  NO is the answer.

Ben Plimpton
Network Engineer
[EMAIL PROTECTED]
970-963-SURF(7873) ext 5174
www.sopris.com
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radrelay and detail file permissions

[Zoltan Ori]

On Friday 31 March 2006 14:17, Ben Plimpton wrote:

 But when I start radrelay the permissions change:

 [EMAIL PROTECTED] radacct]# radrelay -a /var/log/radius/radacct \
 -d /etc/raddb -n ns2-new detail-combined

 [EMAIL PROTECTED] radacct]# ls -la total 44
 drwx--  9 radiusd radiusd 4096 Mar 31 12:08 .
 drwx--  3 radiusd radiusd 4096 Mar 31 12:02 ..
 drwxr-xr-x  2 radiusd radiusd 4096 Mar 31 11:42 127.0.0.1
 drwxr-xr-x  2 radiusd radiusd 4096 Mar 17 16:17 216.17.128.39
 drwxr-xr-x  2 radiusd radiusd 4096 Feb  7 00:30 216.237.65.2
 drwxr-xr-x  2 radiusd radiusd 4096 Mar 31 00:00 216.237.67.198
 drwxr-xr-x  2 radiusd radiusd 4096 Mar 31 09:34 216.237.67.217
 drwxr-xr-x  2 radiusd radiusd 4096 Feb 14 09:49 216.237.72.66
 drwxr-xr-x  2 radiusd radiusd 4096 Mar 31 10:39 216.237.77.3
 -rw---  1 rootroot   0 Mar 31 12:08 detail-combined
 [EMAIL PROTECTED] radacct]#


 Am I missing something with the way I am starting up radrelay?  Or are
 there permissions that I need to check somewhere else?  

Don't start radrelay as root. Start it as the same user you use to start 
RADIUS. In this case, radiusd.

Zoltan Ori

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html