On Wed, Nov 12, 2003 at 02:07:27AM +0100, Javier Fernández-Sanguino Peña wrote:
> Also, just another question. Is there any reason why it needs to run as > root? (as I believe it does in the current Debian package) Would it be > unreasonable to ask it to run as a 'radiusd' user? I can almost guarantee that it shouldn't be running as root. I hope that the new maintainer plans to change this. > However, this is the way that currently the radiusd packages we provide > (radiusd-cistron and radiusd-livingston) seem to operate. Is this at all > necessary? (after all they use their separate users database) The only reason I can think of for running a RADIUS server as root would be to authenticate against UNIX passwords or such, which is a pretty bad idea anyway. They should all run as non-root. > PS: I'm not particularly worried about freeradius, I'm just raising some > questions. It seems that our radiusd packages suffer from similar (if not > worst) security issues and, furthermore, are not (I believe) that actively > maintained upstream. Packages which represent an attack vector and are not actively maintained are a liability, and I think that they should not be included in Debian releases. There are several packages in woody that we might have been better off without, and I hope that we can do better with sarge. -- - mdz
