[Pkg-freeradius-maintainers] Bug#955543: Freeradius - Not working sysvinit script

Jan Korbel debian at teptin.net
Thu Apr 2 10:44:25 BST 2020 

Package: freeradius
Version: 3.0.17+dfsg-1.1

Hello.

We have a problem with freeradius init script after upgrade to
up-to-date Deb10 with sysvinit. It is not possible to reload
configuration or stop daemon.

ps axf|grep radius
 1838 ?        Ssl    1:07 /usr/sbin/freeradius
24598 pts/0    S+     0:00                          \_ grep radius

/etc/init.d/freeradius stop
[ ok ] Stopping FreeRADIUS daemon: freeradius.

ps axf|grep radius
 1838 ?        Ssl    1:07 /usr/sbin/freeradius
24688 pts/0    S+     0:00  

/etc/init.d/freeradius reload
[ ok ] Checking FreeRADIUS daemon configuration...done (Configuration
appears to be OK).
[ ok ] FreeRADIUS daemon is running.
[....] Reloading FreeRADIUS daemon: freeradiusstart-stop-daemon:
matching only on non-root pidfile /var/run/freeradius/freeradius.pid is
insecure failed!

I fixed this by patch /etc/init.d/freeradius script (attached):

/etc/init.d/freeradius reload
[ ok ] Checking FreeRADIUS daemon configuration...done (Configuration
appears to be OK).
[ ok ] FreeRADIUS daemon is running.
[ ok ] Reloading FreeRADIUS daemon: freeradius.

/etc/init.d/freeradius stop
[ ok ] Stopping FreeRADIUS daemon: freeradius.

ps axf|grep radius
27235 pts/0    S+     0:00  |                       \_ grep radius

There is relevant information in dpkg manpage:

Warning: using this match option with a world-writable pidfile or using
it alone with a daemon that writes the pidfile as an unprivileged
(non-root) user will be refused with an error (since version 1.19.3) as
this is a security risk, because either any user can write to it, or if
the daemon gets compromised, the contents of the pidfile cannot be
trusted, and then a privileged runner (such as an init script executed
as root) would end up acting on any system process. Using /dev/null is
exempt from these checks.

Regards,

J.K.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeradius-init.patch
Type: text/x-patch
Size: 345 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeradius-maintainers/attachments/20200402/66ea752d/attachment.bin>

More information about the Pkg-freeradius-maintainers mailing list