tls: Failed changing permissions with networkradius.com packages

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

tls: Failed changing permissions with networkradius.com packages

Arnaud LAURIOU
Hi,

We are replacing our default ubuntu (18.04) FR packages with those
provided by networkradius.com
(3.0.21).

We use TLS (radsec), we kept the same tls virtual-server and with
networkradius packages we have an error
during the startup process :
freeradius[19720]: tls: Failed changing permissions on /var/tmp/radsec:
No such file or directory

This directory exists, it is owned by freeradius user and it is empty :
$ ls -al /var/tmp/radsec
total 8
drwx------ 2 freerad freerad 4096 juil. 28 15:41 .
drwxrwxrwt 7 root    root    4096 juil. 28 17:15 ..

In debug mode (freeradius -fxx -l stdout) : freeradius start fine, no error.
listen {
      type = "auth"
      virtual_server = "default"
      ipaddr = 194.57.7.17
      port = 2083
      proto = "tcp"
..
    verify {
        skip_if_ocsp_ok = no
        tmpdir = "/var/tmp/radsec"
        client = "/usr/bin/openssl verify -CApath /etc/freeradius/certs
-CAfile /etc/freeradius/certs/eduPKICA.crt %{TLS-Client-Cert-Filename}"
    }


Any idea ?


Regards,

Arnaud Lauriou

--
Direction des Services Applicatifs
RENATER - Rennes
https://www.renater.fr/


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: tls: Failed changing permissions with networkradius.com packages

Sven Hartge-5
On 28.07.20 17:32, Arnaud LAURIOU wrote:

> We are replacing our default ubuntu (18.04) FR packages with those
> provided by networkradius.com
> (3.0.21).
>
> We use TLS (radsec), we kept the same tls virtual-server and with
> networkradius packages we have an error
> during the startup process :
> freeradius[19720]: tls: Failed changing permissions on /var/tmp/radsec:
> No such file or directory
>
> This directory exists, it is owned by freeradius user and it is empty :
> $ ls -al /var/tmp/radsec
> total 8
> drwx------ 2 freerad freerad 4096 juil. 28 15:41 .
> drwxrwxrwt 7 root    root    4096 juil. 28 17:15 ..

The systemd.unit freeradius comes with uses "PrivateTmp=yes" which
creates a private and separate /tmp and /var/tmp in a separate namespace
for the freeradius process.

So your /var/tmp/radsec is not the directory the freeradius process sees.

Solution: Switch of PrivateTmp (I would avoid this) or use a different
directory, for example /run/freeradius or create /var/cache/freeradius

Grüße,
Sven.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: tls: Failed changing permissions with networkradius.com packages

Arnaud LAURIOU


On 7/28/20 5:45 PM, Sven Hartge wrote:

> On 28.07.20 17:32, Arnaud LAURIOU wrote:
>
>> We are replacing our default ubuntu (18.04) FR packages with those
>> provided by networkradius.com
>> (3.0.21).
>>
>> We use TLS (radsec), we kept the same tls virtual-server and with
>> networkradius packages we have an error
>> during the startup process :
>> freeradius[19720]: tls: Failed changing permissions on /var/tmp/radsec:
>> No such file or directory
>>
>> This directory exists, it is owned by freeradius user and it is empty :
>> $ ls -al /var/tmp/radsec
>> total 8
>> drwx------ 2 freerad freerad 4096 juil. 28 15:41 .
>> drwxrwxrwt 7 root    root    4096 juil. 28 17:15 ..
> The systemd.unit freeradius comes with uses "PrivateTmp=yes" which
> creates a private and separate /tmp and /var/tmp in a separate namespace
> for the freeradius process.
>
> So your /var/tmp/radsec is not the directory the freeradius process sees.
>
> Solution: Switch of PrivateTmp (I would avoid this) or use a different
> directory, for example /run/freeradius or create /var/cache/freeradius
Indeed, and thank's for your prompt response.

Regards,

Arnaud Lauriou

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html