[csw-maintainers] Interaction between PRESERVECONF, USERGROUP and PROTOTYPE_CLASS_foo

Geoff Davis gadavis at opencsw.org
Thu Dec 16 01:00:20 CET 2010


Hi all,

I'm in the process of rebuilding FreeRADIUS as a more modern package. The original package ran as root, but I'd like to make it run as a non-root user. In the process, I believe I've discovered some problems with interaction between PRESERVECONF, USERGROUP and PROTOTYPE_CLASS_foo

Unfortunately, radiusd (the main FreeRADIUS daemon) cannot read certain files in it's configuration directory when it is not running as root. What happens is that radiusd starts out running as "root", reads some of it's configuration files, then switches context to the runtime user "radius". After this point, it cannot continue reading it's SSL certs, user account lists, etc.

The files in question should not be globally readable for reasons of security, as they contain things like the LDAP user bind password, individual user passwords for static users, database passwords, etc. This precludes a simple solution such as making sure that all of the configuration files are ower=root, group=bin, mode=644.

With this in mind, I tried to figure out how to change the configuration files around so that they are readable only by "radius:radius". This appears to be impossible using our existing GAR mechanisms if the files in question are also being handled by cswpreserveconf

The current mechanism of changing the owner of files is to fiddle around with PROTOTYPE_MODIFIERS and PROTOTYPE_USER_foo, PROTOTYPE_GROUP_foo etc. The docs for cswusergroup [1] state that you have to set the prototype(4) class to "ugfiles" using PROTOTYPE_CLASS_foo. This is to avoid a problem where owner/group of the files in the prototype filter is a user/group that may not have been created yet by the cswusergroup class action script. 

However, this will conflict with the actions of PRESERVECONF which also will fiddle around[2] with the prototype(4) class for various files. Additionally, it may (I haven't verified) have no effect on the files that preserveconf initially creates from the *.CSW templates.

How do I get the permissions on cswpreserveconf-managed files to be non-globally readable, but instead readable only by a user that is created by cswusergroup?

Thanks,
Geoff

[1] http://wiki.opencsw.org/cswclassutils-package#toc16
[2] http://sourceforge.net/apps/trac/gar/browser/csw/mgar/gar/v2/gar.pkg.mk?rev=11882#L200 or thereabouts


More information about the maintainers mailing list