Univention Bugzilla – Bug 50887
freeradius is unable to start due to permissions of /etc/freeradius/ssl
Last modified: 2020-06-10 14:43:00 CEST
UCS: 4.4-3 errata455 Installed: cups=2.2.1 dhcp-server=12.0 opsi=4.1.1.10-6 radius=5.0 samba4=4.10 squid=3.5 ucsschool=4.4 v4 Upgradable: 80univention-radius creates the directory "/etc/freeradius/ssl" and then copies the certificate and the private key into that directory. I've seen several installations where the directory is missing the group permissions. As a consequence the freeradius service is unable to start: > Unable to check file "/etc/freeradius/ssl/private.key": Permission denied The problem seems to be the missing "group::r-x" on the affected systems: # getfacl /etc/freeradius/ssl/ getfacl: Entferne führende '/' von absoluten Pfadnamen # file: etc/freeradius/ssl/ # owner: root # group: freerad # flags: -s- user::rwx group::--- other::--- while on a working system it looks like this: # getfacl /etc/freeradius/ssl/ getfacl: Entferne führende '/' von absoluten Pfadnamen # file: etc/freeradius/ssl/ # owner: root # group: freerad # flags: -s- user::rwx group::r-x other::r-x I still don't know _why_ this happens on some systems. But I figured we could just add one more chmod command to 80univention-radius.inst as a safety net. Customer in forum: https://help.univention.com/t/13476
Package: univention-radius Version: 6.0.2-25A~4.4.0.202006081555 Branch: ucs_4.4-0 Scope: errata4.4-4 2a8dba7b64 Bug #50887: Permissions for radius in postinst 00a27d9298 Bug #50887: changelog 7c4d8ab01a Bug #50887: yaml updated dd49035810 Bug #50887, fix /etc/freeradius/ssl ownership 8b18bbb680 Bug #50887: condition for permission setting 23c3b03cac Bug #50887: changelog updated f918ae611 Bug #50887: Radius permissions set during installation Permissions are now set via "univention-radius.postinst" (if path exists) and "80univention-radius.inst". Package: univention-management-console-module-diagnostic Version: 5.0.1-49A~4.4.0.202006041601 Branch: ucs_4.4-0 Scope: errata4.4-4 3693745d37 Bug #50887: Diagnostic check for radius permissions 43b72f1aad Bug #50887: yaml diagnostic module A new diagnostic check has been added. Path "/etc/freeradius/ssl" is checked for correct permissions.
I installed the usual package without the bug fix and it created this directory structure: ``` ├── [drwxr-xr-x freerad freerad ] 3.0 │ ├── [drwxr-xr-x freerad freerad ] certs │ ├── [drwxr-xr-x freerad freerad ] mods-available │ ├── [drwxr-xr-x freerad freerad ] mods-config │ │ ├── [drwxr-xr-x freerad freerad ] attr_filter │ │ ├── [drwxr-xr-x freerad freerad ] files │ │ ├── [drwxr-xr-x freerad freerad ] perl │ │ ├── [drwxr-xr-x freerad freerad ] preprocess │ │ ├── [drwxr-xr-x freerad freerad ] python │ │ ├── [drwxr-xr-x freerad freerad ] sql │ │ │ ├── [drwxr-xr-x freerad freerad ] counter │ │ │ │ ├── [drwxr-xr-x freerad freerad ] mysql │ │ │ │ ├── [drwxr-xr-x freerad freerad ] postgresql │ │ │ │ └── [drwxr-xr-x freerad freerad ] sqlite │ │ │ ├── [drwxr-xr-x freerad freerad ] cui │ │ │ │ ├── [drwxr-xr-x freerad freerad ] mysql │ │ │ │ ├── [drwxr-xr-x freerad freerad ] postgresql │ │ │ │ └── [drwxr-xr-x freerad freerad ] sqlite │ │ │ ├── [drwxr-xr-x freerad freerad ] ippool │ │ │ │ ├── [drwxr-xr-x freerad freerad ] mysql │ │ │ │ ├── [drwxr-xr-x freerad freerad ] oracle │ │ │ │ ├── [drwxr-xr-x freerad freerad ] postgresql │ │ │ │ └── [drwxr-xr-x freerad freerad ] sqlite │ │ │ ├── [drwxr-xr-x freerad freerad ] ippool-dhcp │ │ │ │ ├── [drwxr-xr-x freerad freerad ] mysql │ │ │ │ ├── [drwxr-xr-x freerad freerad ] oracle │ │ │ │ └── [drwxr-xr-x freerad freerad ] sqlite │ │ │ └── [drwxr-xr-x freerad freerad ] main │ │ │ ├── [drwxr-xr-x freerad freerad ] mssql │ │ │ ├── [drwxr-xr-x freerad freerad ] mysql │ │ │ │ └── [drwxr-xr-x freerad freerad ] extras │ │ │ │ └── [drwxr-xr-x freerad freerad ] wimax │ │ │ ├── [drwxr-xr-x freerad freerad ] ndb │ │ │ ├── [drwxr-xr-x freerad freerad ] oracle │ │ │ ├── [drwxr-xr-x freerad freerad ] postgresql │ │ │ │ └── [drwxr-xr-x freerad freerad ] extras │ │ │ └── [drwxr-xr-x freerad freerad ] sqlite │ │ └── [drwxr-xr-x freerad freerad ] unbound │ ├── [drwxr-xr-x freerad freerad ] mods-enabled │ ├── [drwxr-xr-x freerad freerad ] policy.d │ ├── [drwxr-xr-x freerad freerad ] sites-available │ └── [drwxr-xr-x freerad freerad ] sites-enabled └── [drwxr-sr-x root freerad ] ssl ``` Everything looks okay, so I mofied the permissions for `/etc/freeradius/ssl` with `chmod go-rx /etc/freeradius/ssl/` and then installed the upcoming patch. The patch fixes the permission problem automatically during the package update -> verified, issue is fixed
A suggestion was made by Florian to use a `dpkg-statoverride` instead of `chmod`. That would allow the system administrator to adapt the permissions and the solution would nevertheless survive any package update. The debian documentation states under point 10.9 "Permissions and Owners", footnote 14 (https://www.debian.org/doc/debian-policy/ch-files.html#id29): "To correctly change permissions of a directory the package owns, explicit action is required, usually in the `postinst` script". With our fix we followed that approach as it solves the bug, even though configurability would have been a nice and new feature.
<http://errata.software-univention.de/ucs/4.4/623.html> <http://errata.software-univention.de/ucs/4.4/624.html>