From cde3a5a92425bf5c231bce0d1ccec7ab002b05da Mon Sep 17 00:00:00 2001 From: Jorge Schrauwen Date: Sat, 11 Apr 2020 16:19:24 +0200 Subject: [PATCH 1/4] radiusd: Create rundir via SMF method script. --- net/freeradius/Makefile | 2 ++ net/freeradius/files/smf/manifest.xml | 2 +- net/freeradius/files/smf/radiusd.sh | 14 ++++++++++++++ 3 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 net/freeradius/files/smf/radiusd.sh diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile index 3cfee077c5ed..ab9720c0307b 100644 --- a/net/freeradius/Makefile +++ b/net/freeradius/Makefile @@ -3,6 +3,7 @@ .include "Makefile.common" PKGNAME= ${DISTNAME:S/-server//} +PKGREVISION= 1 COMMENT= Free RADIUS server implementation BUILD_DEFS+= VARBASE @@ -29,6 +30,7 @@ CONFIGURE_ARGS+= --without-rlm_sql_postgresql CONFIGURE_ARGS+= --without-rlm_sql_unixodbc RCD_SCRIPTS= radiusd +SMF_METHODS= radiusd RADIUS_GROUP?= radiusd RADIUS_USER?= radiusd PKG_GROUPS= ${RADIUS_GROUP} diff --git a/net/freeradius/files/smf/manifest.xml b/net/freeradius/files/smf/manifest.xml index 14d834d8b788..6e655f6186f2 100644 --- a/net/freeradius/files/smf/manifest.xml +++ b/net/freeradius/files/smf/manifest.xml @@ -22,7 +22,7 @@ - + diff --git a/net/freeradius/files/smf/radiusd.sh b/net/freeradius/files/smf/radiusd.sh new file mode 100644 index 000000000000..4bbb2a997df7 --- /dev/null +++ b/net/freeradius/files/smf/radiusd.sh @@ -0,0 +1,14 @@ +#!@SMF_METHOD_SHELL@ +# +# $NetBSD: radiusd.sh,v 1.1 2020/04/11 16:17:42 ??? Exp $ +# + +. /lib/svc/share/smf_include.sh + +if [ ! -d @VARBASE@/run/radiusd ]; then + @MKDIR@ @VARBASE@/run/radiusd + @CHMOD@ 0750 @VARBASE@/run/radiusd + @CHOWN@ @RADIUSD_USER@:@RADIUSD_GROUP@ @VARBASE@/run/radiusd +fi + +@PREFIX@/sbin/radiusd "$@" From 3840f10c0bc28b7c7e63abc47a843a446de86d45 Mon Sep 17 00:00:00 2001 From: Jorge Schrauwen Date: Sat, 11 Apr 2020 20:02:53 +0200 Subject: [PATCH 2/4] RADIUS_* not RADIUSD_* --- net/freeradius/files/smf/radiusd.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/freeradius/files/smf/radiusd.sh b/net/freeradius/files/smf/radiusd.sh index 4bbb2a997df7..a440503b3e04 100644 --- a/net/freeradius/files/smf/radiusd.sh +++ b/net/freeradius/files/smf/radiusd.sh @@ -8,7 +8,7 @@ if [ ! -d @VARBASE@/run/radiusd ]; then @MKDIR@ @VARBASE@/run/radiusd @CHMOD@ 0750 @VARBASE@/run/radiusd - @CHOWN@ @RADIUSD_USER@:@RADIUSD_GROUP@ @VARBASE@/run/radiusd + @CHOWN@ @RADIUS_USER@:@RADIUS_GROUP@ @VARBASE@/run/radiusd fi @PREFIX@/sbin/radiusd "$@" From 6d9d0b38b66162287a4ebdb1e59ccf5e4ca35bf2 Mon Sep 17 00:00:00 2001 From: Jorge Schrauwen Date: Sat, 11 Apr 2020 20:30:16 +0200 Subject: [PATCH 3/4] run freeradius as root via smf FreeRADIUS already support dropping privilages via radisud.conf Currently this is not working because smf will start with as non root. Making smf start freeradius as root will allow the user control over this. It will also allow our svc script to create /var/run/radiusd --- net/freeradius/files/smf/manifest.xml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/net/freeradius/files/smf/manifest.xml b/net/freeradius/files/smf/manifest.xml index 6e655f6186f2..b5f020c86f7b 100644 --- a/net/freeradius/files/smf/manifest.xml +++ b/net/freeradius/files/smf/manifest.xml @@ -19,9 +19,7 @@ - - - + From 9d6fc2f1a11b59a82612dad03b817fb3ce41c646 Mon Sep 17 00:00:00 2001 From: Jorge Schrauwen Date: Wed, 15 Apr 2020 12:46:44 +0000 Subject: [PATCH 4/4] freeradius: set user/group in default config --- net/freeradius/Makefile | 6 ++++++ net/freeradius/distinfo | 1 + .../patches/patch-raddb_radiusd.conf.in | 17 +++++++++++++++++ 3 files changed, 24 insertions(+) create mode 100644 net/freeradius/patches/patch-raddb_radiusd.conf.in diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile index ab9720c0307b..b94ba9df6770 100644 --- a/net/freeradius/Makefile +++ b/net/freeradius/Makefile @@ -44,6 +44,12 @@ OWN_DIRS_PERMS+= ${VARBASE}/run/radiusd \ PKG_SYSCONFSUBDIR= raddb +SUBST_CLASSES+= secconf +SUBST_STAGE.secconf= post-configure +SUBST_MESSAGE.secconf= Substituting user and group in radiusd.conf +SUBST_FILES.secconf= raddb/radiusd.conf +SUBST_VARS.secconf= RADIUS_USER RADIUS_GROUP + FILES_SUBST+= RADIUS_USER=${RADIUS_USER} RADIUS_GROUP=${RADIUS_GROUP} MESSAGE_SUBST+= BOOTSTRAP=${PKG_SYSCONFDIR}/certs/bootstrap diff --git a/net/freeradius/distinfo b/net/freeradius/distinfo index 20f89963e0bb..8236718b6f3a 100644 --- a/net/freeradius/distinfo +++ b/net/freeradius/distinfo @@ -8,4 +8,5 @@ SHA1 (patch-ai) = e32ffd24b93e2cef2e72ef9a8ea59d49e1571dc0 SHA1 (patch-configure.ac) = ffec1f851d23f560797c12eba5092f2940e4d662 SHA1 (patch-main_command.c) = 1c79b29eb13df341906c710c8dd41860a27473dd SHA1 (patch-main_util.c) = e8814255c32c8469e81d62f2c7092e8d42744e85 +SHA1 (patch-raddb_radiusd.conf.in) = 353cbed35013777bf055a77cc610b50a637ae7b7 SHA1 (patch-src_lib_udpfromto.c) = 2457f0a7223b1f3ef86d0af020290b26380e6319 diff --git a/net/freeradius/patches/patch-raddb_radiusd.conf.in b/net/freeradius/patches/patch-raddb_radiusd.conf.in new file mode 100644 index 000000000000..d21593a4b1d6 --- /dev/null +++ b/net/freeradius/patches/patch-raddb_radiusd.conf.in @@ -0,0 +1,17 @@ +$NetBSD: patch-raddb_radiusd.conf.in,v 1.2 2020/04/14 14:03:13 ??? Exp $ + +Update example radiusd.conf to include the correct user/group + +--- raddb/radiusd.conf.in.orig 2020-04-15 11:59:38.209113301 +0000 ++++ raddb/radiusd.conf.in 2020-04-15 12:00:19.973538936 +0000 +@@ -501,8 +501,8 @@ + # member. This can allow for some finer-grained access + # controls. + # +-# user = radius +-# group = radius ++ user = @RADIUS_USER@ ++ group = @RADIUS_GROUP@ + + # Core dumps are a bad thing. This should only be set to + # 'yes' if you're debugging a problem with the server.