0004940: freeRADIUS v1.0.1 package is obsolete and may be insecure

(0009830)
dam (administrator)
2012-04-24 14:21

Hi,

I am currently fiddling with updating to 2.1.12. Would you be willing to do some testing of the preliminary package?

(0009831)
leinenbach (reporter)
2012-04-24 14:27

Great! Yes, I can do some testing.

(0009832)
dam (administrator)
2012-04-24 19:35

Hi Jens, I have some preliminary packages for 2.1.12 sparc here which will show up shortly:
http://buildfarm.opencsw.org/experimental.html#freeradius [^]
The package will most certainly contain many things that can be improved, but I am willing to take a stab and fix issues as they come up. Please post about your experiences and suggestions.

(0009833)
leinenbach (reporter)
2012-04-25 12:18

Thank you very much, but I need the i386 package for testing although I need the sparc version later.

(0009834)
leinenbach (reporter)
2012-04-25 15:38

Right now, I still test the old experimental i386 package.

If it is similar here, then there are /etc/opt/csw/raddb/modules/*.CSW files as a backup of the original files.
All *.CSW files should be removed as everything in this subdir is included by the radiusd.conf file. (And we can't exclude *.CSW, as regexes seem not to be supported.)

radiusd.conf:
...
$INCLUDE ${confdir}/modules/
...

If we want to keep those *.CSW files there, then we should use another directory similar to the sites directory - or store them in a subdir somewhere else (eg. /opt/csw/doc/doc/freeradius/).

(I usually recommend to leave all original config files untouched as they could be overwritten or deleted later, but to make changes to *.local files instead. But this does not work here, at least not consequently.)

(0009835)
leinenbach (reporter)
2012-04-26 09:09

Thank you! :)

(0009836)
dam (administrator)
2012-04-26 09:37

I guess you found the updated packages now for sparc and i386 on
http://buildfarm.opencsw.org/experimental.html#freeradius [^]

(0009837)
leinenbach (reporter)
2012-04-26 11:17

Indeed! :)

First look:

I think...
- your change of the configuration directory from /etc/opt/csw/raddb to /etc/opt/csw/freeradius
- and to deliver all config files just as .CSW
is a good idea.

You should rename:
sites-available/inner-tunnel to inner-tunnel.CSW
sites-available/soh to soh.CSW

The sites-enabled/default symlink is broken, but this is OK as this should be by purpose as the sites-available/default file is missing as it is called .CSW before someone configures it.

(0009838)
leinenbach (reporter)
2012-04-26 12:01

Not sure, as the config files come from the freeradius developers... but I would comment out all sections in the experimental.conf and let the user uncomment the needed sections.

(0009839)
leinenbach (reporter)
2012-04-27 10:24

My test is successful so far.

As you created the user and group "radius" as it is recommended, you may want to uncomment these two lines of radiusd.conf

# user = radius
# group = radius

(0009840)
leinenbach (reporter)
2012-04-27 13:42

Now this is actually important:

I found some real problems in:
/etc/opt/csw/init.d/cswfreeradius

Change this line:
RADDBDIR=/etc/opt/csw/raddb
to this line:
RADDBDIR=/etc/opt/csw/freeradius

Then uncomment and change the following lines, so that you use radius:radius and not radmin:radius

This is how it should look like:

=======8<------------------------------------------------
test -f $RADIUSD || exit
test -f $RADDBDIR/radiusd.conf || exit

if [ ! -d $rundir ] ; then
    mkdir $rundir
    chown radius:radius $rundir
    chmod 775 $rundir
fi

if [ ! -d $logdir ] ; then
    mkdir $logdir
    chown radius:radius $logdir
    chmod 770 $logdir
    chmod g+s $logdir
fi

if [ ! -f $logdir/radius.log ]; then
        touch $logdir/radius.log
fi

chown radius:radius $logdir/radius.log
chmod 660 $logdir/radius.log

=======8<------------------------------------------------

Then please check your package installation script for creating these dirs:
/var/run/csw/run/radiusd
/var/run/csw/log/radius

They should have the same name, ownership and permission as in the script above.

(0009849)
dam (administrator)
2012-05-02 16:16

A new set of packages 2.1.12,REV=2012.05.02 is available with all reported issues hopefully fixed:
http://buildfarm.opencsw.org/experimental.html#freeradius [^]
Please let me know if you find anything else.

(0009869)
dam (administrator)
2012-05-21 11:13

Any feedback on the latest set? If there are no more open issues I would like to release it.

(0009870)
leinenbach (reporter)
2012-05-21 11:23

Sorry for the late answer. I couldn't test the new package in the meantime, but I'll use it in an installation within the next two weeks. You can release it now or wait until I can give some more feedback.

(0009871)
dam (administrator)
2012-05-21 11:32

NP, I'll wait with the release for your feedback.

(0009971)
dam (administrator)
2012-06-19 10:36

Version 2.1.12,REV=2012.05.02 has been released to unstable/.

Notes
(0009830) dam (administrator) 2012-04-24 14:21	Hi, I am currently fiddling with updating to 2.1.12. Would you be willing to do some testing of the preliminary package?

(0009831) leinenbach (reporter) 2012-04-24 14:27	Great! Yes, I can do some testing.

(0009832) dam (administrator) 2012-04-24 19:35	Hi Jens, I have some preliminary packages for 2.1.12 sparc here which will show up shortly: http://buildfarm.opencsw.org/experimental.html#freeradius [^] The package will most certainly contain many things that can be improved, but I am willing to take a stab and fix issues as they come up. Please post about your experiences and suggestions.

(0009833) leinenbach (reporter) 2012-04-25 12:18	Thank you very much, but I need the i386 package for testing although I need the sparc version later.

(0009834) leinenbach (reporter) 2012-04-25 15:38	Right now, I still test the old experimental i386 package. If it is similar here, then there are /etc/opt/csw/raddb/modules/.CSW files as a backup of the original files. All .CSW files should be removed as everything in this subdir is included by the radiusd.conf file. (And we can't exclude .CSW, as regexes seem not to be supported.) radiusd.conf: ... $INCLUDE ${confdir}/modules/ ... If we want to keep those .CSW files there, then we should use another directory similar to the sites directory - or store them in a subdir somewhere else (eg. /opt/csw/doc/doc/freeradius/). (I usually recommend to leave all original config files untouched as they could be overwritten or deleted later, but to make changes to *.local files instead. But this does not work here, at least not consequently.)

(0009835) leinenbach (reporter) 2012-04-26 09:09	Thank you! :)

(0009836) dam (administrator) 2012-04-26 09:37	I guess you found the updated packages now for sparc and i386 on http://buildfarm.opencsw.org/experimental.html#freeradius [^]

(0009837) leinenbach (reporter) 2012-04-26 11:17	Indeed! :) First look: I think... - your change of the configuration directory from /etc/opt/csw/raddb to /etc/opt/csw/freeradius - and to deliver all config files just as .CSW is a good idea. You should rename: sites-available/inner-tunnel to inner-tunnel.CSW sites-available/soh to soh.CSW The sites-enabled/default symlink is broken, but this is OK as this should be by purpose as the sites-available/default file is missing as it is called .CSW before someone configures it.

(0009838) leinenbach (reporter) 2012-04-26 12:01	Not sure, as the config files come from the freeradius developers... but I would comment out all sections in the experimental.conf and let the user uncomment the needed sections.

(0009839) leinenbach (reporter) 2012-04-27 10:24	My test is successful so far. As you created the user and group "radius" as it is recommended, you may want to uncomment these two lines of radiusd.conf # user = radius # group = radius

(0009840) leinenbach (reporter) 2012-04-27 13:42	Now this is actually important: I found some real problems in: /etc/opt/csw/init.d/cswfreeradius Change this line: RADDBDIR=/etc/opt/csw/raddb to this line: RADDBDIR=/etc/opt/csw/freeradius Then uncomment and change the following lines, so that you use radius:radius and not radmin:radius This is how it should look like: =======8<------------------------------------------------ test -f $RADIUSD \|\| exit test -f $RADDBDIR/radiusd.conf \|\| exit if [ ! -d $rundir ] ; then mkdir $rundir chown radius:radius $rundir chmod 775 $rundir fi if [ ! -d $logdir ] ; then mkdir $logdir chown radius:radius $logdir chmod 770 $logdir chmod g+s $logdir fi if [ ! -f $logdir/radius.log ]; then touch $logdir/radius.log fi chown radius:radius $logdir/radius.log chmod 660 $logdir/radius.log =======8<------------------------------------------------ Then please check your package installation script for creating these dirs: /var/run/csw/run/radiusd /var/run/csw/log/radius They should have the same name, ownership and permission as in the script above.

(0009849) dam (administrator) 2012-05-02 16:16	A new set of packages 2.1.12,REV=2012.05.02 is available with all reported issues hopefully fixed: http://buildfarm.opencsw.org/experimental.html#freeradius [^] Please let me know if you find anything else.

(0009869) dam (administrator) 2012-05-21 11:13	Any feedback on the latest set? If there are no more open issues I would like to release it.

(0009870) leinenbach (reporter) 2012-05-21 11:23	Sorry for the late answer. I couldn't test the new package in the meantime, but I'll use it in an installation within the next two weeks. You can release it now or wait until I can give some more feedback.

(0009871) dam (administrator) 2012-05-21 11:32	NP, I'll wait with the release for your feedback.

(0009971) dam (administrator) 2012-06-19 10:36	Version 2.1.12,REV=2012.05.02 has been released to unstable/.

Relationships

OpenCSW Bug Tracker