891297 – ${db_dir} incorrectly defaults to /etc/raddb, should be /var/lib/radiusd

Bug 891297 - ${db_dir} incorrectly defaults to /etc/raddb, should be /var/lib/radiusd

Summary: ${db_dir} incorrectly defaults to /etc/raddb, should be /var/lib/radiusd

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	freeradius
Sub Component:
Version:	18
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	John Dennis
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	891305
TreeView+	depends on / blocked

Reported:	2013-01-02 14:08 UTC by John Dennis
Modified:	2013-10-13 14:41 UTC (History)
CC List:	3 users (show)
Fixed In Version:	freeradius-3.0.0-1.fc21
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	891305 (view as bug list)
Environment:
Last Closed:	2013-10-13 14:41:43 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description John Dennis 2013-01-02 14:08:46 UTC

The configuration parameter db_dir, specified in /etc/raddb/radiusd.conf is used to specify where database files will be created. Those database files are currently utilized by ippool and counter modules as well as the experimental cache module.

/etc/raddb/radiusd.conf has these lines:

raddbdir = @raddbdir@
confdir = ${raddbdir}
db_dir = ${raddbdir}

raddbdir defaults to /etc/raddb

raddbdir can be set during the build via the configuration option:

--with-raddbdir=DIR     Directory for config files SYSCONFDIR/raddb

Thus both confdir and db_dir both are set to /etc/raddb


confdir *MUST* be /etc/raddb

but db_dir should not be /etc/raddb because:

1) only configuration files are stored under /etc, not database files

2) /etc/raddb is only writable by root, thus the attempt to create database files under /etc/raddb will fail with permission denied errors, e.g.:

rlm_ippool: Failed to open file /etc/raddb/db.ippool: Permission denied

The correct place to locate these database files is under /var/lib/radiusd. This is even suggested by the comment in /etc/raddb/radiusd.conf above the initialization of db_dir

# Should likely be ${localstatedir}/lib/radiusd

However, note that one cannot use --with-raddbdir to set this value because raddbdir also initializes confdir, which appears to be incorrect. The configuration directory and the database directory are logically *not* the same.

The suggested fix is to initialize confdir from something other than raddbdir and to use --with-raddbdir set to /var/lib/radiusd

Comment 1 John Dennis 2013-01-02 14:21:14 UTC

The suggestion at the end of comment #1 is incorrect, raddbdir points to the configuration files, thus it *must* remain /etc/raddb. The only viable fix is to edit raddb/radiusd.conf.in and modify 

db_dir = ${raddbdir}

to be:

db_dir = ${localstatedir}/lib/radiusd

FWIW it appears to be an unfortunate historical artefact that the configuration directory (raddb) is called a "database" directory (the "db" suffix).

In any event db_dir is completely independent of the configuration directory and it is a mistake the two were ever conflated.

Comment 2 John Dennis 2013-10-13 14:41:43 UTC

fix applied for next major version so as not to disrupt existing deployments.

freeradius-3.0.0-1.fc21

Note You need to log in before you can comment on or make changes to this bug.