55963 – univention-radius-ntlm-auth cannot read /etc/machine.secret anymore

Bug 55963 - univention-radius-ntlm-auth cannot read /etc/machine.secret anymore

Summary: univention-radius-ntlm-auth cannot read /etc/machine.secret anymore

Status:	CLOSED FIXED

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	Radius
Version:	UCS 5.2
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	UCS 5.1
Assignee:	Florian Best
QA Contact:	Juan Carlos

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-04-13 10:19 CEST by Florian Best
Modified:	2025-02-05 15:08 CET (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2023-04-13 10:19:47 CEST

When changing the debug mode via `-X` in /etc/default/freeradius the following traceback occurs in journalctl -u freeradius.service when executing the tests (e.g. 45_radius/02_eap_test.py):

Traceback (most recent call last):
  File "/usr/bin/univention-radius-ntlm-auth", line 78, in <module>
    sys.exit(main())
             ^^^^^^
  File "/usr/bin/univention-radius-ntlm-auth", line 63, in main
    networkAccess = NetworkAccess(options.username, options.station_id, logfile=LOGFIILE)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/univention/radius/networkaccess.py", line 104, in __init__
    self.ldapConnection = get_ldapConnection()
                          ^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/univention/radius/networkaccess.py", line 70, in get_ldapConnection
    return univention.uldap.getMachineConnection(ldap_master=False, reconnect=False)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 172, in getMachineConnection
    bindpw = open(secret_file).read().rstrip('\n')
             ^^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: '/etc/machine.secret'

For this we have the setuid wrapper (services/univention-radius/univention-radius-ntlm-auth-suidwrapper.c) but the upstream systemd /usr/lib/systemd/system/freeradius.service definition changed and disallows user change:

NoNewPrivileges=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
SystemCallArchitectures=native

→ we have to either adjust the service or need a machine.secret readable by the freeradius user.

Comment 1 Florian Best

2023-04-13 12:27:05 CEST

Changing only the secret file is not enough:

Traceback (most recent call last):                                                               
  File "/usr/bin/univention-radius-ntlm-auth", line 78, in <module>                            
    sys.exit(main())                                                                                          
             ^^^^^^                                                                                                                                                     
  File "/usr/bin/univention-radius-ntlm-auth", line 63, in main                                                                                                         
    networkAccess = NetworkAccess(options.username, options.station_id, logfile=LOGFIILE)                                                                               
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                                                                               
  File "/usr/lib/python3/dist-packages/univention/radius/networkaccess.py", line 109, in __init__
    self._setup_logger(loglevel, logfile)                                                                                                                               
  File "/usr/lib/python3/dist-packages/univention/radius/networkaccess.py", line 125, in _setup_logger
    log_handler = logging.FileHandler(logfile)  # type: logging.Handler
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/logging/__init__.py", line 1181, in __init__
    StreamHandler.__init__(self, self._open())                                                                                                                          
                                 ^^^^^^^^^^^^                             
  File "/usr/lib/python3.11/logging/__init__.py", line 1213, in _open
    return open_func(self.baseFilename, self.mode,                          
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                          
PermissionError: [Errno 13] Permission denied: '/var/log/univention/radius_ntlm_auth.log'

Comment 3 Juan Carlos

2023-10-25 10:09:15 CEST

QA:

Code: OK
Changelog: OK

Comment 4 Florian Best

2024-03-08 10:36:05 CET

univention-radius (8.0.4)
3509a3e02ed9 | fix(radius): add /etc/freeradius.secret credentials file