Re: Bug#155583: radiusd-freeradius history and future

On Sat, Nov 15, 2003 at 10:36:53AM +, Miquel van Smoorenburg wrote: > In article <[EMAIL PROTECTED]>, > Sam Hartman <[EMAIL PROTECTED]> wrote: > >I think dpkg-statoverride is not too bad in this case. I'll talk to > >the nis package maintainer and see if that's acceptable. If not, nis > >cou

Re: Bug#155583: radiusd-freeradius history and future

In article <[EMAIL PROTECTED]>, Miquel van Smoorenburg <[EMAIL PROTECTED]> wrote: >In article <[EMAIL PROTECTED]>, >Sam Hartman <[EMAIL PROTECTED]> wrote: >>I think dpkg-statoverride is not too bad in this case. I'll talk to >>the nis package maintainer and see if that's acceptable. If not, nis

Re: Bug#155583: radiusd-freeradius history and future

In article <[EMAIL PROTECTED]>, Sam Hartman <[EMAIL PROTECTED]> wrote: >I think dpkg-statoverride is not too bad in this case. I'll talk to >the nis package maintainer and see if that's acceptable. If not, nis >could install some flag file. The unix_chkpwd could start with root >privs, chuck fo

Re: Bug#155583: radiusd-freeradius history and future

> "Andreas" == Andreas Metzler <[EMAIL PROTECTED]> writes: Andreas> Steve Langasek <[EMAIL PROTECTED]> wrote: >> On Fri, Nov 14, 2003 at 11:37:45AM -0500, Matt Zimmerman wrote: Andreas> [...] >>> > I'd rather see a solution where we have some nis support >>> package that >

Re: Bug#155583: radiusd-freeradius history and future

Steve Langasek <[EMAIL PROTECTED]> wrote: > On Fri, Nov 14, 2003 at 11:37:45AM -0500, Matt Zimmerman wrote: [...] >> > I'd rather see a solution where we have some nis support package that >> > makes unix_chkpwd setuid root when that support package is installed. >> This would be even better. > Y

Re: Bug#155583: radiusd-freeradius history and future

On Fri, Nov 14, 2003 at 11:37:45AM -0500, Matt Zimmerman wrote: > On Thu, Nov 13, 2003 at 11:16:59PM -0500, Sam Hartman wrote: > > > "Matt" == Matt Zimmerman <[EMAIL PROTECTED]> writes: > > Matt> I think a single "Will you be using NIS?" question would be > > Matt> justified; this cou

Re: Bug#155583: radiusd-freeradius history and future

On Thu, Nov 13, 2003 at 11:16:59PM -0500, Sam Hartman wrote: > > "Matt" == Matt Zimmerman <[EMAIL PROTECTED]> writes: > > Matt> I think a single "Will you be using NIS?" question would be > Matt> justified; this could provide defaults for md5 vs. crypt > Matt> passwords and setuid

Re: Bug#155583: radiusd-freeradius history and future

> "Matt" == Matt Zimmerman <[EMAIL PROTECTED]> writes: Matt> I think a single "Will you be using NIS?" question would be Matt> justified; this could provide defaults for md5 vs. crypt Matt> passwords and setuid-ness of unix_chkpwd, and so those Matt> questions could be suppress

Re: Bug#155583: radiusd-freeradius history and future

On Thu, Nov 13, 2003 at 09:26:09PM +0100, Andreas Metzler wrote: > Matt Zimmerman <[EMAIL PROTECTED]> wrote: > > On Wed, Nov 12, 2003 at 05:59:09PM +0100, Andreas Metzler wrote: > > The code does this: > > > if (strcmp(pwd->pw_passwd, "*NP*") == 0) { /* NIS+ > > */ > [...] > >

Re: Bug#155583: radiusd-freeradius history and future

Matt Zimmerman <[EMAIL PROTECTED]> wrote: > On Wed, Nov 12, 2003 at 05:59:09PM +0100, Andreas Metzler wrote: >> You are wrong, unix_chkpwd does NIS (at least in the szenario I just >> tested). After changing unix_chkpwd from 4755 root:root to 2755 >> root:shadow a NIS user can not unlock the termin

Re: Bug#155583: radiusd-freeradius history and future

On Wed, Nov 12, 2003 at 05:59:09PM +0100, Andreas Metzler wrote: > You are wrong, unix_chkpwd does NIS (at least in the szenario I just > tested). After changing unix_chkpwd from 4755 root:root to 2755 > root:shadow a NIS user can not unlock the terminal he has just locked > himself with vlock any

Re: radiusd-freeradius history and future

On Thu, Nov 13, 2003 at 05:52:13PM +1100, Russell Coker wrote: > On Thu, 13 Nov 2003 12:54, Steve Langasek <[EMAIL PROTECTED]> wrote: > > > This is so ugly. > > > > Last I looked, there wasn't much in NIS that wasn't.  I think the amount > > of pain we should put other users through on account of

Re: radiusd-freeradius history and future

Steve Langasek <[EMAIL PROTECTED]> wrote: > On Thu, Nov 13, 2003 at 11:50:05AM +1100, Russell Coker wrote: >> On Thu, 13 Nov 2003 11:15, Andreas Metzler <[EMAIL PROTECTED]> >> wrote: Or do you have to be root for getpwnam() to work on NIS accounts? >>> In certain NIS configurations you can o

Re: radiusd-freeradius history and future

Russell Coker <[EMAIL PROTECTED]> wrote: > On Thu, 13 Nov 2003 11:15, Andreas Metzler <[EMAIL PROTECTED]> > wrote: >> > Or do you have to be root for getpwnam() to work on NIS accounts? >> In certain NIS configurations you can only access the hashed password >> if your query to the NIS server com

Re: radiusd-freeradius history and future

In article <[EMAIL PROTECTED]>, Steve Langasek <[EMAIL PROTECTED]> wrote: >-=-=-=-=-=- > >On Thu, Nov 13, 2003 at 11:50:05AM +1100, Russell Coker wrote: >> On Thu, 13 Nov 2003 11:15, Andreas Metzler <[EMAIL PROTECTED]> >> wrote: >> > > Or do you have to be root for getpwnam() to work on NIS accou

Re: radiusd-freeradius history and future

On Thu, 13 Nov 2003 12:54, Steve Langasek <[EMAIL PROTECTED]> wrote: > > This is so ugly. > > Last I looked, there wasn't much in NIS that wasn't.  I think the amount > of pain we should put other users through on account of NIS is very > small (e.g., no longer asking about non-md5 passwords on ins

Re: radiusd-freeradius history and future

On Thu, Nov 13, 2003 at 11:50:05AM +1100, Russell Coker wrote: > On Thu, 13 Nov 2003 11:15, Andreas Metzler <[EMAIL PROTECTED]> > wrote: > > > Or do you have to be root for getpwnam() to work on NIS accounts? > > In certain NIS configurations you can only access the hashed password > > if your qu

Re: radiusd-freeradius history and future

Scripsit Russell Coker <[EMAIL PROTECTED]> > Maybe we should have a debconf option for whether the program in question is > to be SETUID root or SETGID shadow? Then the minority of people who use NIS > can have full functionality, while the majority of people who don't use NIS > can have bette

Re: radiusd-freeradius history and future

On Thu, 13 Nov 2003 11:15, Andreas Metzler <[EMAIL PROTECTED]> wrote: > > Or do you have to be root for getpwnam() to work on NIS accounts? > > In certain NIS configurations you can only access the hashed password > if your query to the NIS server comes from a privileged port <=1024, > i.e. afaict

Re: radiusd-freeradius history and future

On Thu, Nov 13, 2003 at 10:43:58AM +1100, Russell Coker wrote: > On Thu, 13 Nov 2003 03:59, Andreas Metzler wrote: >>> Also I believe that Lee's statement regarding NIS is incorrect, >>> unix_chkpwd only does /etc/shadow. >> testing. >> You are wrong, unix_chkpwd does NIS (at least in the sze

Re: radiusd-freeradius history and future

On Wed, Nov 12, 2003 at 12:53:39PM -0600, Steve Langasek wrote: > On Wed, Nov 12, 2003 at 08:35:53AM +1100, Paul Hampson wrote: > > I've been splitting out ODBC support locally since the very beginning, > > but everytime I mooted it, Wichert Akkerman (amongst others, but he was > > at the time gat

Re: radiusd-freeradius history and future

On Wed, Nov 12, 2003 at 01:24:32PM +, Miquel van Smoorenburg wrote: > In article <[EMAIL PROTECTED]>, > Paul Hampson <[EMAIL PROTECTED]> wrote: > >Cistron begat FreeRADIUS. FreeRADIUS is certainly actively maintained > >upstream. xtRADIUS is also begat of Cistron. I'd assumed that Cistron > >i

Re: radiusd-freeradius history and future

On Thu, 13 Nov 2003 03:59, Andreas Metzler wrote: > > Also I believe that Lee's statement regarding NIS is incorrect, > > unix_chkpwd only does /etc/shadow. > > testing. > > You are wrong, unix_chkpwd does NIS (at least in the szenario I just > tested). After changing unix_chkpwd from 4755 root

Re: radiusd-freeradius history and future

On Wed, Nov 12, 2003 at 08:35:53AM +1100, Paul Hampson wrote: > On Tue, Nov 11, 2003 at 03:23:24PM -0600, Steve Langasek wrote: > > On Wed, Nov 12, 2003 at 08:00:40AM +1100, Paul Hampson wrote: > > > PostgreSQL requires license changes, and I've not had much luck buiding > > > impetus for this, no

Re: Security liabilities (Re: radiusd-freeradius history and future)

On Tue, Nov 11, 2003 at 07:44:01PM -0500, Matt Zimmerman wrote: > This is exactly the kind of situation I don't want going forward...there is > so much neglected software in Debian that bugs like these sometimes go > unnoticed, or even if they are noticed, the maintainer doesn't care enough > abou

Re: radiusd-freeradius history and future

On Wed, Nov 12, 2003 at 05:23:09PM +0100, Javier Fernández-Sanguino Peña wrote: > > It does adduser freerad shadow on first installation, but not after that > > (on the advice of Steve Langasek) to allow the local authentication code > > to work, and to give the admin the freedom to disable this fo

Re: radiusd-freeradius history and future

On Wed, Nov 12, 2003 at 03:36:40PM +1100, Russell Coker wrote: > On Wed, 12 Nov 2003 13:47, Matt Zimmerman wrote: [...] > unix_chkpwd is a reasonable solution to this. >>> One possible solution to this is to have a special GID for >>> non-root programs which are allowed to check passwords. I woul

Re: radiusd-freeradius history and future

On Thu, Nov 13, 2003 at 12:19:02AM +1100, Paul Hampson wrote: > On Wed, Nov 12, 2003 at 02:07:27AM +0100, Javier Fernández-Sanguino Peña > wrote: > > > Maybe I'm mistaken, but the rpm spec file seems to use a 'radiusd' user > > whileas the Debian rules package does not. I would be more confident

Re: radiusd-freeradius history and future

In article <[EMAIL PROTECTED]>, Paul Hampson <[EMAIL PROTECTED]> wrote: >Cistron begat FreeRADIUS. FreeRADIUS is certainly actively maintained >upstream. xtRADIUS is also begat of Cistron. I'd assumed that Cistron >is dead upstream too, and xtRADIUS active. Cistron radius is not dead. It's just i

Re: Security liabilities (Re: radiusd-freeradius history and future)

On Tue, Nov 11, 2003 at 07:44:01PM -0500, Matt Zimmerman wrote: > On Wed, Nov 12, 2003 at 09:18:38AM +1100, Paul Hampson wrote: > > On Tue, Nov 11, 2003 at 04:30:50PM -0500, Matt Zimmerman wrote: > > > CAN-2001-1376 and CAN-2001-1377 made the rounds last Spring, with > > > advisories > > > from Re

Re: radiusd-freeradius history and future

On Wed, Nov 12, 2003 at 02:07:27AM +0100, Javier Fernández-Sanguino Peña wrote: > On Tue, Nov 11, 2003 at 02:02:49PM -0500, Matt Zimmerman wrote: > > On Tue, Nov 11, 2003 at 11:52:00AM -0600, Steve Langasek wrote: > > > The packages at will be sponsored into > >

Re: radiusd-freeradius history and future

On Wed, Nov 12, 2003 at 03:37:29PM +1100, Russell Coker wrote: > On Wed, 12 Nov 2003 14:11, Javier Fernández-Sanguino Peña wrote: > > That would need a reimplementation of some (all?) of the servers. Wouldn't > > it? Old ones (cistron, livingston) call getpwnam()|getspnam() to retrieve > > the user

Re: radiusd-freeradius history and future

On Wed, Nov 12, 2003 at 03:36:40PM +1100, Russell Coker wrote: > On Wed, 12 Nov 2003 13:47, Matt Zimmerman wrote: > > We already have such a group, named "shadow". In fact, I don't know why > > unix_chkpwd is setuid root rather than setgid shadow. > > Bug report #155583 has been open for over a

Re: radiusd-freeradius history and future

On Wed, 12 Nov 2003 14:11, Javier Fernández-Sanguino Peña wrote: > That would need a reimplementation of some (all?) of the servers. Wouldn't > it? Old ones (cistron, livingston) call getpwnam()|getspnam() to retrieve > the user's encrypted passwords. New ones (freeradius) can alternatively > talk

Re: radiusd-freeradius history and future

On Wed, 12 Nov 2003 13:47, Matt Zimmerman wrote: > On Wed, Nov 12, 2003 at 01:23:02PM +1100, Russell Coker wrote: > > Allowing a RADIUS server to authenticate local users against /etc/shadow > > is standard and expected functionality IMHO. I consider any RADIUS > > server which can't authenticate

Re: radiusd-freeradius history and future

On Wed, Nov 12, 2003 at 04:11:38AM +0100, Javier Fernández-Sanguino Peña wrote: > On Wed, Nov 12, 2003 at 01:23:02PM +1100, Russell Coker wrote: > > Allowing a RADIUS server to authenticate local users against /etc/shadow > > is standard and expected functionality IMHO. I consider any RADIUS > >

Re: radiusd-freeradius history and future

On Wed, Nov 12, 2003 at 01:23:02PM +1100, Russell Coker wrote: > On Wed, 12 Nov 2003 12:40, Matt Zimmerman wrote: > > The only reason I can think of for running a RADIUS server as root would be > > to authenticate against UNIX passwords or such, which is a pretty bad idea > > anyway.  They should a

Re: radiusd-freeradius history and future

On Wed, Nov 12, 2003 at 01:23:02PM +1100, Russell Coker wrote: > Allowing a RADIUS server to authenticate local users against /etc/shadow > is standard and expected functionality IMHO. I consider any RADIUS server > which can't authenticate against the local accounts database to be > severely bro

Re: radiusd-freeradius history and future

On Wed, 12 Nov 2003 12:40, Matt Zimmerman wrote: > The only reason I can think of for running a RADIUS server as root would be > to authenticate against UNIX passwords or such, which is a pretty bad idea > anyway.  They should all run as non-root. Allowing a RADIUS server to authenticate local use

Re: radiusd-freeradius history and future

On Wed, Nov 12, 2003 at 02:07:27AM +0100, Javier Fernández-Sanguino Peña wrote: > Also, just another question. Is there any reason why it needs to run as > root? (as I believe it does in the current Debian package) Would it be > unreasonable to ask it to run as a 'radiusd' user? I can almost gua

Re: radiusd-freeradius history and future

On Tue, Nov 11, 2003 at 02:02:49PM -0500, Matt Zimmerman wrote: > On Tue, Nov 11, 2003 at 11:52:00AM -0600, Steve Langasek wrote: > > > The packages at will be sponsored into > > the archive as soon as I've had a chance to review them (this week). > > This thing

Security liabilities (Re: radiusd-freeradius history and future)

On Wed, Nov 12, 2003 at 09:18:38AM +1100, Paul Hampson wrote: > On Tue, Nov 11, 2003 at 04:30:50PM -0500, Matt Zimmerman wrote: > > CAN-2001-1376 and CAN-2001-1377 made the rounds last Spring, with advisories > > from Red Hat, FreeBSD, SuSE, Conectiva, CERT, etc. These affected multiple > > RADIU

Re: radiusd-freeradius history and future

On Tue, 2003-11-11 at 21:53, Steve Langasek wrote: > On Tue, Nov 11, 2003 at 09:39:52PM +, Oliver Elphick wrote: > > On Tue, 2003-11-11 at 21:00, Paul Hampson wrote: > > > PostgreSQL requires license changes, and I've not had much luck buiding > > > impetus for this, nor even identified an exac

Re: radiusd-freeradius history and future

On Tue, Nov 11, 2003 at 09:39:52PM +, Oliver Elphick wrote: > On Tue, 2003-11-11 at 21:00, Paul Hampson wrote: > > PostgreSQL requires license changes, and I've not had much luck buiding > > impetus for this, nor even identified an exact change that would be > > needed. > > I'm intrigued as to

Re: radiusd-freeradius history and future

On Tue, Nov 11, 2003 at 04:30:50PM -0500, Matt Zimmerman wrote: > On Wed, Nov 12, 2003 at 08:03:28AM +1100, Paul Hampson wrote: > > > On Tue, Nov 11, 2003 at 02:02:49PM -0500, Matt Zimmerman wrote: > > > This thing is packed full of strcpy() and strcat(), which is the sort of > > > sloppiness that

Re: radiusd-freeradius history and future

On Tue, Nov 11, 2003 at 09:39:52PM +, Oliver Elphick wrote: > On Tue, 2003-11-11 at 21:00, Paul Hampson wrote: > > PostgreSQL requires license changes, and I've not had much luck buiding > > impetus for this, nor even identified an exact change that would be > > needed. > I'm intrigued as to h

Re: radiusd-freeradius history and future

On Tue, 2003-11-11 at 21:00, Paul Hampson wrote: > PostgreSQL requires license changes, and I've not had much luck buiding > impetus for this, nor even identified an exact change that would be > needed. I'm intrigued as to how the PostgreSQL licence can conflict with anything, since it's BSD. --

Re: radiusd-freeradius history and future

On Tue, Nov 11, 2003 at 03:23:24PM -0600, Steve Langasek wrote: > On Wed, Nov 12, 2003 at 08:00:40AM +1100, Paul Hampson wrote: > > > PostgreSQL requires license changes, and I've not had much luck buiding > > impetus for this, nor even identified an exact change that would be > > needed. > > As

Re: radiusd-freeradius history and future

On Wed, Nov 12, 2003 at 08:03:28AM +1100, Paul Hampson wrote: > On Tue, Nov 11, 2003 at 02:02:49PM -0500, Matt Zimmerman wrote: > > This thing is packed full of strcpy() and strcat(), which is the sort of > > sloppiness that I don't like to see in a network server. It was a great > > blessing to

Re: radiusd-freeradius history and future

On Wed, Nov 12, 2003 at 08:00:40AM +1100, Paul Hampson wrote: > PostgreSQL requires license changes, and I've not had much luck buiding > impetus for this, nor even identified an exact change that would be > needed. As an aside, it should be possible to connect freeradius to a postgresql server u

Re: radiusd-freeradius history and future

On Tue, Nov 11, 2003 at 02:02:49PM -0500, Matt Zimmerman wrote: > On Tue, Nov 11, 2003 at 11:52:00AM -0600, Steve Langasek wrote: > > > The packages at will be sponsored into > > the archive as soon as I've had a chance to review them (this week). > > This thing

Re: radiusd-freeradius history and future

On Tue, Nov 11, 2003 at 10:13:22AM +0100, Javier Fernández-Sanguino Peña wrote: > On Sun, Jan 12, 2003 at 01:21:53PM -0500, Chad Miller wrote: > > [cc debian-devel] > > On Sun, Jan 12, 2003 at 05:07:41PM +0100, Toni Mueller wrote: > > > [...] Who withdrew [radiusd-freeradius] or caus

Re: radiusd-freeradius history and future

On Tue, Nov 11, 2003 at 11:52:00AM -0600, Steve Langasek wrote: > The packages at will be sponsored into > the archive as soon as I've had a chance to review them (this week). This thing is packed full of strcpy() and strcat(), which is the sort of sloppiness th

Re: radiusd-freeradius history and future

On Tue, Nov 11, 2003 at 10:13:22AM +0100, Javier Fernández-Sanguino Peña wrote: > On Sun, Jan 12, 2003 at 01:21:53PM -0500, Chad Miller wrote: > > [cc debian-devel] > > > > On Sun, Jan 12, 2003 at 05:07:41PM +0100, Toni Mueller wrote: > > > [...] Who withdrew [radiusd-freeradius] or

Re: radiusd-freeradius history and future

On Tue, Nov 11, 2003 at 10:13:22AM +0100, Javier Fern?ndez-Sanguino Pe?a wrote: > On Sun, Jan 12, 2003 at 01:21:53PM -0500, Chad Miller wrote: > > [cc debian-devel] > > > > On Sun, Jan 12, 2003 at 05:07:41PM +0100, Toni Mueller wrote: > > > [...] Who withdrew [radiusd-freeradius] or

Re: radiusd-freeradius history and future

On Sun, Jan 12, 2003 at 01:21:53PM -0500, Chad Miller wrote: > [cc debian-devel] > > On Sun, Jan 12, 2003 at 05:07:41PM +0100, Toni Mueller wrote: > > [...] Who withdrew [radiusd-freeradius] or caused it's > > withdrewal, then? Curious minds want to know, and also, it's a bit > > mis