FreeRADIUS / freeradius-server

FreeRADIUS - A multi-protocol policy server.
http://freeradius.org
GNU General Public License v2.0
2.11k stars 1.08k forks source link

tmpfolder can't be used on Ubuntu 22.04 due PrivateTmp Systemd option enabled by default #5066

Open megothub opened 1 year ago

megothub commented 1 year ago

What type of defect/bug is this?

Crash or memory corruption (segv, abort, etc...)

How can the issue be reproduced?

OS: Ubuntu 22.04 freeradius to be started as service no issues if started with freeradius -X

Issue itself: tmpdir can't be used (E.g. in case if EAP configuration with requirement to check certificates)

described in /etc/freeradius.old/3.0/mods-enabled/eap

                        #  A temporary directory where the client
                        #  certificates are stored.  This directory
                        #  MUST be owned by the UID of the server,
                        #  and MUST not be accessible by any other
                        #  users.  When the server starts, it will do
                        #  "chmod go-rwx" on the directory, for
                        #  security reasons.  The directory MUST
                        #  exist when the server starts.
                        #
                        #  You should also delete all of the files
                        #  in the directory when the server starts.
                        #
                #       tmpdir = /tmp/radiusd

When directory created and configured as described above freeradius keeps failing with the following error (/var/log/syslog) Jun 17 15:28:51 vm freeradius[233969]: tls: Failed changing permissions on /tmp/radiusd: No such file or directory

After investigation it is clear that default systemd script: /lib/systemd/system/freeradius.service

has the following related setting causes issues:

# Private /tmp that isn't shared by other processes
PrivateTmp=true

When changed to false freeradius starts seeing that tmp folder. It is expected behavior.

Now, to solve the issue for anyone who will try to enable tmp folder on Ubuntu systems I propose the following solution

a) change /etc/init.d/freeradius script as follows

# /var/run may be a tmpfs
if [ ! -d /var/run/freeradius ]; then
    mkdir -p /var/run/freeradius
    chown freerad:freerad /var/run/freeradius
to be added >    mkdir -p /var/run/freeradius/tmp
to be added >   chown freerad:freerad /var/run/freeradius/tmp
fi

b) change description and location of the tmp folder in the following conf files /etc/freeradius.old/3.0/mods-available/eap /etc/freeradius.old/3.0/sites-available/tls to highlight that /var/run/freeradius/tmp should be used

Log output from the FreeRADIUS daemon

not applicable. Check description of the issue as freeradius -X doesn't show any issue due issue with start script.

Relevant log output from client utilities

not applicable. Check description of the issue that contains output from /var/log/syslog

Backtrace from LLDB or GDB

No response

jpereira commented 1 year ago

@megothub which version are you using?

megothub commented 1 year ago

FreeRADIUS Version 3.0.26 from Ubuntu repos tried to build manually 3.2.3 release - same result

megothub commented 1 year ago

actually, changing /etc/init.d/freeradius is not enough. Checking systemd script. /var/run/freeradius/tmp folder was not created while starting freeradius

megothub commented 1 year ago

that's the article I've used to configure EAP https://wiki.mikrotik.com/wiki/Manual:Wireless_EAP-TLS_using_RouterOS_with_FreeRADIUS

I've found another issue linked to mine https://github.com/FreeRADIUS/freeradius-server/issues/3119 but there was no answer and it was closed by the topic starter

ndptech commented 1 year ago

Creating a directory in /var/run/freeradius is best done with a systemd override. Try creating /etc/systemd/system/freeradius.service.d/override.conf containing

[Service]
User=freerad
Group=freerad
RuntimeDirectory=freeradius freeradius/tmp
RuntimeDirectoryPreserve=yes

The last option will leave the directory available when the FreeRADIUS service is stopped - without that systemd tidies up runtime directories.