Bug 1022033 - ${db_dir} incorrectly defaults to /etc/raddb, should be /var/lib/radiusd
${db_dir} incorrectly defaults to /etc/raddb, should be /var/lib/radiusd
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: freeradius (Show other bugs)
Unspecified Unspecified
medium Severity low
: rc
: ---
Assigned To: John Dennis
BaseOS QE Security Team
Depends On:
Blocks: 1061410
  Show dependency treegraph
Reported: 2013-10-22 10:10 EDT by Karel Srot
Modified: 2014-11-21 08:24 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 891305
Last Closed: 2014-11-21 08:24:19 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Karel Srot 2013-10-22 10:10:23 EDT
I am not sure whether this is worth of fixing in RHEL-6 though.

+++ This bug was initially created as a clone of Bug #891297 +++

The configuration parameter db_dir, specified in /etc/raddb/radiusd.conf is used to specify where database files will be created. Those database files are currently utilized by ippool and counter modules as well as the experimental cache module.

/etc/raddb/radiusd.conf has these lines:

raddbdir = @raddbdir@
confdir = ${raddbdir}
db_dir = ${raddbdir}

raddbdir defaults to /etc/raddb

raddbdir can be set during the build via the configuration option:

--with-raddbdir=DIR     Directory for config files SYSCONFDIR/raddb

Thus both confdir and db_dir both are set to /etc/raddb

confdir *MUST* be /etc/raddb

but db_dir should not be /etc/raddb because:

1) only configuration files are stored under /etc, not database files

2) /etc/raddb is only writable by root, thus the attempt to create database files under /etc/raddb will fail with permission denied errors, e.g.:

rlm_ippool: Failed to open file /etc/raddb/db.ippool: Permission denied

The correct place to locate these database files is under /var/lib/radiusd. This is even suggested by the comment in /etc/raddb/radiusd.conf above the initialization of db_dir

# Should likely be ${localstatedir}/lib/radiusd

However, note that one cannot use --with-raddbdir to set this value because raddbdir also initializes confdir, which appears to be incorrect. The configuration directory and the database directory are logically *not* the same.

The suggested fix is to initialize confdir from something other than raddbdir and to use --with-raddbdir set to /var/lib/radiusd

--- Additional comment from John Dennis on 2013-01-02 09:21:14 EST ---

The suggestion at the end of comment #1 is incorrect, raddbdir points to the configuration files, thus it *must* remain /etc/raddb. The only viable fix is to edit raddb/radiusd.conf.in and modify 

db_dir = ${raddbdir}

to be:

db_dir = ${localstatedir}/lib/radiusd

FWIW it appears to be an unfortunate historical artefact that the configuration directory (raddb) is called a "database" directory (the "db" suffix).

In any event db_dir is completely independent of the configuration directory and it is a mistake the two were ever conflated.
Comment 1 Dmitri Pal 2014-03-14 17:44:09 EDT
Not on ACL for 6.6. Moving out.

Note You need to log in before you can comment on or make changes to this bug.