[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Freeradius DHCP and "Failed adding ARP entry: Failed to add entry in ARP cache: Operation not pe
From: Benjamin Thompson <b.thompson () hydra-billing ! com>
Date: 2022-09-11 7:41:29
Message-ID: CAD021m-J0EAvn4dB9+AibEVQ5t1PhKPCvMgJjn4ZmGFztV6P_w () mail ! gmail ! com
[Download RAW message or body]
> > Then I checked that it is set up by getcap /usr/sbin/freeradius and it
> was
> > /usr/sbin/freeradius = cap_net_admin+ei
>
> That should work.
>
> > But there is still Failed adding ARP entry: Failed to add entry in ARP
> > cache: Operation not permitted (1)
>
Hi
I ran into this issue and did some investigation. What I found was that if
you set the permissions as follows:
setcap cap_net_admin,cap_net_bind_service=eip /usr/local/sbin/radiusd
This works as long as you do not launch FreeRADIUS as root.
So for example I have a normal user called "radius" specified in
radiusd.conf:
security {
user = radius
group = radius
...
}
This does not work:
root@computer# radiusd -X
This works:
radius@computer$ radiusd -X
So what seems to be happening is that although we assign the capabilities
to the radiusd executable, if we launch as a different user to what is in
radiusd.conf then those capabilities are lost when FreeRADIUS switches user.
I also tried adding "ambient" capabilities as follows:
capsh --caps="cap_setpcap,cap_setuid,cap_setgid,cap_net_admin,cap_net_bind_service+eip"
--keep=1 --user=radius --addamb=cap_net_admin,cap_net_bind_service --
-c "/usr/local/sbin/radiusd -X"
This also works fine.
--
Benjamin Thompson
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic