[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Freeradius DHCP and "Failed adding ARP entry: Failed to add entry in ARP cache: Operation not pe
From:       Benjamin Thompson <b.thompson () hydra-billing ! com>
Date:       2022-09-11 7:41:29
Message-ID: CAD021m-J0EAvn4dB9+AibEVQ5t1PhKPCvMgJjn4ZmGFztV6P_w () mail ! gmail ! com
[Download RAW message or body]

> > Then I checked that it is set up by getcap /usr/sbin/freeradius and it
> was
> > /usr/sbin/freeradius = cap_net_admin+ei
>
>   That should work.
>
> > But there is still Failed adding ARP entry: Failed to add entry in ARP
> > cache: Operation not permitted (1)
>

Hi

I ran into this issue and did some investigation. What I found was that if
you set the permissions as follows:

setcap cap_net_admin,cap_net_bind_service=eip /usr/local/sbin/radiusd

This works as long as you do not launch FreeRADIUS as root.

So for example I have a normal user called "radius" specified in
radiusd.conf:

security {
    user = radius
    group = radius
    ...
}

This does not work:
root@computer# radiusd -X

This works:
radius@computer$ radiusd -X

So what seems to be happening is that although we assign the capabilities
to the radiusd executable, if we launch as a different user to what is in
radiusd.conf then those capabilities are lost when FreeRADIUS switches user.

I also tried adding "ambient" capabilities as follows:

capsh --caps="cap_setpcap,cap_setuid,cap_setgid,cap_net_admin,cap_net_bind_service+eip"
--keep=1 --user=radius --addamb=cap_net_admin,cap_net_bind_service --
-c "/usr/local/sbin/radiusd -X"

This also works fine.

--
Benjamin Thompson
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]