Ubuntu
freeradius package

Configuration comment suggests non-default /tmp/radius configuration which doesn't exist by default

Bug #1850927 reported by EAB
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
freeradius (Ubuntu)
Opinion
Low
Unassigned

Bug Description

1) lsb_release -rd
Description: Ubuntu 18.04.3 LTS
Release: 18.04

2) apt-cache policy freeradius
freeradius:
  Installed: 3.0.16+dfsg-1ubuntu3.1
  Candidate: 3.0.16+dfsg-1ubuntu3.1
  Version table:
 *** 3.0.16+dfsg-1ubuntu3.1 500
        500 http://ch.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
        100 /var/lib/dpkg/status
     3.0.16+dfsg-1ubuntu3 500
        500 http://ch.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

3) What you expected to happen
Freeradius service to start on with system boot.
Freeradius service to start with 'service freeradius start'.

4) What happened instead
Freeradius service doesn't start due to /tmp/radiusd missing and not being created automatically.

Oct 30 14:14:56 radius systemd[1]: Starting FreeRADIUS multi-protocol policy server...
Oct 30 14:14:56 radius freeradius[5524]: FreeRADIUS Version 3.0.16
Oct 30 14:14:56 radius freeradius[5524]: Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
Oct 30 14:14:56 radius freeradius[5524]: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Oct 30 14:14:56 radius freeradius[5524]: PARTICULAR PURPOSE
Oct 30 14:14:56 radius freeradius[5524]: You may redistribute copies of FreeRADIUS under the terms of the
Oct 30 14:14:56 radius freeradius[5524]: GNU General Public License
Oct 30 14:14:56 radius freeradius[5524]: For more information about these matters, see the file named COPYRIGHT
Oct 30 14:14:56 radius freeradius[5524]: Starting - reading configuration files ...
Oct 30 14:14:56 radius freeradius[5524]: Debugger not attached
Oct 30 14:14:56 radius freeradius[5524]: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Oct 30 14:14:56 radius freeradius[5524]: Creating attribute SQL-Group
Oct 30 14:14:56 radius freeradius[5524]: Creating attribute Unix-Group
Oct 30 14:14:56 radius freeradius[5524]: rlm_sql_mysql: libmysql version: 5.7.27
Oct 30 14:14:56 radius freeradius[5524]: rlm_sql (sql): Attempting to connect to database "radiusdb"
Oct 30 14:14:56 radius freeradius[5524]: rlm_sql (sql): Initialising connection pool
Oct 30 14:14:56 radius freeradius[5524]: rlm_sql (sql): Processing generate_sql_clients
Oct 30 14:14:56 radius freeradius[5524]: rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
Oct 30 14:14:56 radius freeradius[5524]: rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare"
Oct 30 14:14:56 radius freeradius[5524]: rlm_sql (sql): Opening additional connection (0), 1 of 1 pending slots used
Oct 30 14:14:56 radius freeradius[5524]: rlm_sql_mysql: Starting connect to MySQL server
Oct 30 14:14:56 radius freeradius[5524]: rlm_sql (sql): Reserved connection (0)
Oct 30 14:14:56 radius freeradius[5524]: rlm_sql (sql): Released connection (0)
Oct 30 14:14:56 radius freeradius[5524]: rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
Oct 30 14:14:56 radius freeradius[5524]: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" #011found in filter list for realm "DEFAULT".
Oct 30 14:14:56 radius freeradius[5524]: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" #011found in filter list for realm "DEFAULT".
Oct 30 14:14:56 radius freeradius[5524]: rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
Oct 30 14:14:56 radius freeradius[5524]: rlm_mschap (mschap): using internal authentication
Oct 30 14:14:56 radius freeradius[5524]: TLS section "tls" missing, trying to use legacy configuration
Oct 30 14:14:56 radius freeradius[5524]: tls: Failed changing permissions on /tmp/radiusd: No such file or directory
Oct 30 14:14:56 radius freeradius[5524]: rlm_eap_tls: Failed initializing SSL context
Oct 30 14:14:56 radius freeradius[5524]: rlm_eap (EAP): Failed to initialise rlm_eap_tls
Oct 30 14:14:56 radius freeradius[5524]: /etc/freeradius/3.0/mods-enabled/eap[2]: Instantiation failed for module "eap"
Oct 30 14:14:56 radius systemd[1]: freeradius.service: Control process exited, code=exited status=1
Oct 30 14:14:56 radius systemd[1]: freeradius.service: Failed with result 'exit-code'.
Oct 30 14:14:56 radius systemd[1]: Failed to start FreeRADIUS multi-protocol policy server.
Oct 30 14:15:01 radius systemd[1]: freeradius.service: Service hold-off time over, scheduling restart.
Oct 30 14:15:01 radius systemd[1]: freeradius.service: Scheduled restart job, restart counter is at 173.
Oct 30 14:15:01 radius systemd[1]: Stopped FreeRADIUS multi-protocol policy server.

5) Fix:
Create the following file …

nano /etc/tmpfiles.d/radius.conf

… with the following content …

d /tmp/radiusd 0700 freerad freerad - -

… save and exit, then execute the following command …

systemd-tmpfiles --create

… reboot.

Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Summary from our conversation on #ubuntu-server today:

There isn't a problem in the default configuration shipped.

The default configuration includes a comment encouraging the user to configure /tmp/radius; in doing this the problem arises.

It's not right to use a hardcoded name in /tmp in this way in production, since there is no guarantee that any given name will be available. Using /run or /var/lib/radius or similar would be better.

It's not a problem for packaging to ship a tmpfiles.d snippet to create a directory in some recommended place to save trouble in a non-standard configuration that follows some published documentation even if it isn't use in the default configuration.

So I suggest that two changes are needed:

1) The comment should be adjusted to do something more suitable in production

2) A tmpfiles.d snippet might be added, but only after the documentation is made clear

I suggest that both of these need to happen from the source of the comment. I didn't do research to find out whether that originates in Debian packaging or in upstream, but it doesn't originate from Ubuntu as the Ubuntu package is in sync with Debian. To make progress, someone needs to figure out where this comment originates and file a bug there.

Since this is a valid issue I'm marking it Triaged, but it's clearly low priority because it affects non-default configuration and even then it's mostly a documentation issue. I don't expect any further progress to be made on this unless someone volunteers.

Changed in freeradius (Ubuntu):
status: New → Triaged
importance: Undecided → Low
summary: - freeradius not starting on boot
+ Configuration comment suggests non-default /tmp/radius configuration
+ which doesn't exist by default
Revision history for this message
Rolf Leggewie (r0lf) wrote :

was that discussion not public? can't find anything on https://irclogs.ubuntu.com/2019/11/01/

Revision history for this message
Alan DeKok (aland-freeradius) wrote :

> Oct 30 14:14:56 radius freeradius[5524]: TLS section "tls" missing, trying to use legacy configuration

i.e. you edited the default "eap" module configuration to *remove* the "tls" configuration.

Then tried to use the "eap-tls" method.

And wondered why it didn't work.

Here's the solution: don't do that.

Even if you fix this complaint about "tmpdir", you will get a bunch of other complaints about other missing things. Even if you fix those complaints, EAP-TLS won't work, because the configuration is likely not pointing at the correct certificate files.

Use the default configuration. It works.

This isn't a bug in the package. This is just "I edited the configuration, deleted too many things, and now it doesn't work".

Well, don't do that. This isn't a bug.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

The comments above the suggested /tmp/radiusd directory explain the requirements for the tmpdir parameter. While we can argue that /tmp is not the best place perhaps, the requirements won't change.

Changed in freeradius (Ubuntu):
status: Triaged → Opinion
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.