diff --git a/CVE-2019-10143.patch b/CVE-2019-10143.patch new file mode 100644 index 0000000..b98359d --- /dev/null +++ b/CVE-2019-10143.patch @@ -0,0 +1,101 @@ +From 6bef910f875f3f76768a97c96ba1adb6fe197862 Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Tue, 7 May 2019 16:04:29 -0400 +Subject: [PATCH] su to radiusd user/group when rotating logs + +Ported from: +https://github.com/FreeRADIUS/freeradius-server/commit/1f233773962bf1a9c2d228a180eacddb9db2d574 + +The su directive to logrotate ensures that log rotation happens under the +owner of the logs. Otherwise, logrotate runs as root:root, potentially +enabling privilege escalation if a RCE is discovered against the +FreeRADIUS daemon. + +Signed-off-by: Alexander Scheel +Integrated-by: Yahu Gao +--- + debian/freeradius.logrotate | 3 +++ + redhat/freeradius-logrotate | 1 + + scripts/logrotate/freeradius | 3 +++ + suse/radiusd-logrotate | 1 + + 4 files changed, 8 insertions(+) + +diff --git a/debian/freeradius.logrotate b/debian/freeradius.logrotate +index 02f95c0..b4925f4 100644 +--- a/debian/freeradius.logrotate ++++ b/debian/freeradius.logrotate +@@ -16,6 +16,7 @@ notifempty + # + /var/log/freeradius/radius.log { + copytruncate ++ su freerad freerad + } + + # +@@ -37,6 +38,7 @@ notifempty + # + /var/log/freeradius/sqllog.sql { + nocreate ++ su freerad freerad + } + + # There are different detail-rotating strategies you can use. One is +@@ -48,4 +50,5 @@ notifempty + # detail files. You do not need to comment out the below for method #2. + /var/log/freeradius/radacct/*/detail { + nocreate ++ su freerad freerad + } +diff --git a/redhat/freeradius-logrotate b/redhat/freeradius-logrotate +index 6faf336..a824e5f 100644 +--- a/redhat/freeradius-logrotate ++++ b/redhat/freeradius-logrotate +@@ -9,6 +9,7 @@ rotate 4 + missingok + compress + delaycompress ++su radiusd radiusd + + # + # The main server log +diff --git a/scripts/logrotate/freeradius b/scripts/logrotate/freeradius +index cbeeb5f..1c0fb59 100644 +--- a/scripts/logrotate/freeradius ++++ b/scripts/logrotate/freeradius +@@ -19,6 +19,7 @@ notifempty + # + /var/log/radius/radius.log { + copytruncate ++ su radiusd radiusd + } + + # +@@ -40,6 +41,7 @@ notifempty + # + /var/log/radius/sqllog.sql { + nocreate ++ su radiusd radiusd + } + + # There are different detail-rotating strategies you can use. One is +@@ -51,4 +53,5 @@ notifempty + # detail files. You do not need to comment out the below for method #2. + /var/log/radius/radacct/*/detail { + nocreate ++ su radiusd radiusd + } +diff --git a/suse/radiusd-logrotate b/suse/radiusd-logrotate +index b72267b..5ae1c9e 100644 +--- a/suse/radiusd-logrotate ++++ b/suse/radiusd-logrotate +@@ -11,6 +11,7 @@ missingok + compress + delaycompress + notifempty ++su radiusd radiusd + + # + # The main server log +-- +1.8.3.1 + diff --git a/CVE-2019-11234_1.patch b/CVE-2019-11234_1.patch new file mode 100644 index 0000000..6c2e6ad --- /dev/null +++ b/CVE-2019-11234_1.patch @@ -0,0 +1,67 @@ +From 85497b5ff37ccb656895b826b88585898c209586 Mon Sep 17 00:00:00 2001 +From: Mathy Vanhoef +Date: Tue, 9 Apr 2019 15:17:19 -0400 +Subject: [PATCH] When processing an EAP-pwd Commit frame, the peer's scalar + and elliptic curve point were not validated. This allowed an adversary to + bypass authentication, and impersonate any user. + +Fix this vulnerability by assuring the received scalar lies within the valid +range, and by checking that the received element is not the point at infinity +and lies on the elliptic curve being used. + +Patch from: +https://github.com/FreeRADIUS/freeradius-server/commit/85497b5ff37ccb656895b826b88585898c209586 + +Integrated-by: Chen Liu +--- + src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c +index 7f91e4b..848ca20 100644 +--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c ++++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c +@@ -373,11 +373,26 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_ + data_len = BN_num_bytes(session->order); + BN_bin2bn(ptr, data_len, session->peer_scalar); + ++ /* validate received scalar */ ++ if (BN_is_zero(session->peer_scalar) || ++ BN_is_one(session->peer_scalar) || ++ BN_cmp(session->peer_scalar, session->order) >= 0) { ++ ERROR("Peer's scalar is not within the allowed range"); ++ goto finish; ++ } ++ + if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bnctx)) { + DEBUG2("pwd: unable to get coordinates of peer's element"); + goto finish; + } + ++ /* validate received element */ ++ if (!EC_POINT_is_on_curve(session->group, session->peer_element, bn_ctx) || ++ EC_POINT_is_at_infinity(session->group, session->peer_element)) { ++ ERROR("Peer's element is not a point on the elliptic curve"); ++ goto finish; ++ } ++ + /* check to ensure peer's element is not in a small sub-group */ + if (BN_cmp(cofactor, BN_value_one())) { + if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) { +@@ -391,6 +406,13 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_ + } + } + ++ /* detect reflection attacks */ ++ if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 || ++ EC_POINT_cmp(session->group, session->peer_element, session->my_element, bn_ctx) == 0) { ++ ERROR("Reflection attack detected"); ++ goto finish; ++ } ++ + /* compute the shared key, k */ + if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bnctx)) || + (!EC_POINT_add(session->group, K, K, session->peer_element, bnctx)) || +-- +1.8.3.1 + diff --git a/CVE-2019-11234_2.patch b/CVE-2019-11234_2.patch new file mode 100644 index 0000000..7f73cbb --- /dev/null +++ b/CVE-2019-11234_2.patch @@ -0,0 +1,38 @@ +From ab4c767099f263a7cd4109bcdca80ee74210a769 Mon Sep 17 00:00:00 2001 +From: Matthew Newton +Date: Wed, 10 Apr 2019 10:11:23 +0100 +Subject: [PATCH] fix incorrectly named variable + +Patch from: +https://github.com/FreeRADIUS/freeradius-server/commit/ab4c767099f263a7cd4109bcdca80ee74210a769 + +Integrated-by: Chen Liu +--- + src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c +index 848ca20..c54f08c 100644 +--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c ++++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c +@@ -387,7 +387,7 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_ + } + + /* validate received element */ +- if (!EC_POINT_is_on_curve(session->group, session->peer_element, bn_ctx) || ++ if (!EC_POINT_is_on_curve(session->group, session->peer_element, bnctx) || + EC_POINT_is_at_infinity(session->group, session->peer_element)) { + ERROR("Peer's element is not a point on the elliptic curve"); + goto finish; +@@ -408,7 +408,7 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_ + + /* detect reflection attacks */ + if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 || +- EC_POINT_cmp(session->group, session->peer_element, session->my_element, bn_ctx) == 0) { ++ EC_POINT_cmp(session->group, session->peer_element, session->my_element, bnctx) == 0) { + ERROR("Reflection attack detected"); + goto finish; + } +-- +1.8.3.1 + diff --git a/README.en.md b/README.en.md deleted file mode 100644 index 24b0663..0000000 --- a/README.en.md +++ /dev/null @@ -1,36 +0,0 @@ -# freeradius - -#### Description -{**When you're done, you can delete the content in this README and update the file with details for others getting started with your repository**} - -#### Software Architecture -Software architecture description - -#### Installation - -1. xxxx -2. xxxx -3. xxxx - -#### Instructions - -1. xxxx -2. xxxx -3. xxxx - -#### Contribution - -1. Fork the repository -2. Create Feat_xxx branch -3. Commit your code -4. Create Pull Request - - -#### Gitee Feature - -1. You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md -2. Gitee blog [blog.gitee.com](https://blog.gitee.com) -3. Explore open source project [https://gitee.com/explore](https://gitee.com/explore) -4. The most valuable open source project [GVP](https://gitee.com/gvp) -5. The manual of Gitee [https://gitee.com/help](https://gitee.com/help) -6. The most popular members [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) diff --git a/README.md b/README.md deleted file mode 100644 index 5405aac..0000000 --- a/README.md +++ /dev/null @@ -1,39 +0,0 @@ -# freeradius - -#### 介绍 -{**以下是码云平台说明,您可以替换此简介** -码云是 OSCHINA 推出的基于 Git 的代码托管平台(同时支持 SVN)。专为开发者提供稳定、高效、安全的云端软件开发协作平台 -无论是个人、团队、或是企业,都能够用码云实现代码托管、项目管理、协作开发。企业项目请看 [https://gitee.com/enterprises](https://gitee.com/enterprises)} - -#### 软件架构 -软件架构说明 - - -#### 安装教程 - -1. xxxx -2. xxxx -3. xxxx - -#### 使用说明 - -1. xxxx -2. xxxx -3. xxxx - -#### 参与贡献 - -1. Fork 本仓库 -2. 新建 Feat_xxx 分支 -3. 提交代码 -4. 新建 Pull Request - - -#### 码云特技 - -1. 使用 Readme\_XXX.md 来支持不同的语言,例如 Readme\_en.md, Readme\_zh.md -2. 码云官方博客 [blog.gitee.com](https://blog.gitee.com) -3. 你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解码云上的优秀开源项目 -4. [GVP](https://gitee.com/gvp) 全称是码云最有价值开源项目,是码云综合评定出的优秀开源项目 -5. 码云官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help) -6. 码云封面人物是一档用来展示码云会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) diff --git a/freeradius-logrotate b/freeradius-logrotate new file mode 100644 index 0000000..6d78976 --- /dev/null +++ b/freeradius-logrotate @@ -0,0 +1,7 @@ +/var/log/radius/radacct/*/detail /var/log/radius/*.log /var/log/radius/radutmp /var/log/radius/radwtmp { + monthly + rotate 4 + nocreate + missingok + compress +} diff --git a/freeradius-pam-conf b/freeradius-pam-conf new file mode 100644 index 0000000..6b70db4 --- /dev/null +++ b/freeradius-pam-conf @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth requisite pam_nologin.so +auth include common-auth +account include common-account +password include common-password +session include common-session diff --git a/freeradius-server-3.0.15.tar.bz2 b/freeradius-server-3.0.15.tar.bz2 new file mode 100644 index 0000000..a4aa2f0 Binary files /dev/null and b/freeradius-server-3.0.15.tar.bz2 differ diff --git a/freeradius-tmpfiles.conf b/freeradius-tmpfiles.conf new file mode 100644 index 0000000..ead7a2f --- /dev/null +++ b/freeradius-tmpfiles.conf @@ -0,0 +1 @@ +D /var/run/radiusd 0710 radiusd radiusd - diff --git a/freeradius.spec b/freeradius.spec new file mode 100644 index 0000000..968bd49 --- /dev/null +++ b/freeradius.spec @@ -0,0 +1,439 @@ +%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} +%define openssl_version %(rpm -q --queryformat '%%{EPOCH}:%%{VERSION}' openssl) +%define perl_version %(eval "`%{__perl} -V:version`"; echo $version) + +Name: freeradius +Version: 3.0.15 +Release: 17 +Summary: Remote Authentication Dial-In User Service + +License: GPLv2+ and LGPLv2+ +URL: http://www.freeradius.org/ +Source0: https://ftp.yz.yamagata-u.ac.jp/pub/network/freeradius/old/freeradius-server-3.0.15.tar.bz2 +Source1: radiusd.service +Source2: freeradius-logrotate +Source3: freeradius-pam-conf +Source4: freeradius-tmpfiles.conf + +# patch for backport CVE +Patch6000: CVE-2019-11234_1.patch +Patch6001: CVE-2019-11234_2.patch +Patch6002: CVE-2019-10143.patch + +BuildRequires: autoconf gdbm-devel openssl openssl-devel pam-devel zlib-devel net-snmp-devel +BuildRequires: net-snmp-utils readline-devel libpcap-devel systemd-units libtalloc-devel +BuildRequires: pcre-devel unixODBC-devel json-c-devel libcurl-devel + +Requires: openssl >= %{openssl_version} +Requires(pre): shadow-utils glibc-common +Requires(post): systemd-sysv systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units + +Provides: %{name}-unixODBC = %{version}-%{release} %{name}-rest = %{version}-%{release} +Obsoletes: %{name}-unixODBC < %{version}-%{release} %{name}-rest < %{version}-%{release} + +%description +Remote Authentication Dial-In User Service (RADIUS) is a networking +protocol that provides centralized Authentication, Authorization, and +Accounting (AAA or Triple A) management for users who connect and +use a network service. + +%package utils +Summary: Clients utilities of the FreeRADIUS package +Requires: %{name} = %{version}-%{release} libpcap >= 0.9.4 + +%description utils +Collection of FreeRADIUS utilities,additional features not found in any other server. + +%package devel +Summary: Development files of the FreeRADIUS package +Requires: %{name} = %{version}-%{release} + +%description devel +FreeRADIUS header files for development. + +%package ldap +Summary: LDAP support of the FreeRADIUS package +BuildRequires: openldap-devel +Requires: %{name} = %{version}-%{release} + +%description ldap +FreeRADIUS plugin providing LDAP support. + +%package krb5 +Summary: Kerberos 5 support of the FreeRADIUS package +BuildRequires: krb5-devel +Requires: %{name} = %{version}-%{release} + +%description krb5 +FreeRADIUS plugin providing Kerberos 5 authentication support. + +%package perl +Summary: Perl support of the FreeRADIUS package +Requires: %{name} = %{version}-%{release} perl(:MODULE_COMPAT_%{perl_version}) +BuildRequires: perl-devel perl-generators perl(ExtUtils::Embed) + +%description perl +FreeRADIUS plugin providing Perl support. + +%package -n python2-freeradius +Summary: Python support of the FreeRADIUS package +BuildRequires: python2-devel +Requires: %{name} = %{version}-%{release} +%{?python_provide:%python_provide python2-freeradius} +Provides: %{name}-python = %{version}-%{release} +Obsoletes: %{name}-python < %{version}-%{release} + +%description -n python2-freeradius +FreeRADIUS plugin providing Python support. + +%package mysql +Summary: MySQL support of the FreeRADIUS package +BuildRequires: mariadb-connector-c-devel +Requires: %{name} = %{version}-%{release} + +%description mysql +FreeRADIUS plugin providing MySQL support. + +%package postgresql +Summary: Postgresql support of the FreeRADIUS package +BuildRequires: postgresql-devel +Requires: %{name} = %{version}-%{release} + +%description postgresql +FreeRADIUS plugin providing PostgreSQL support. + +%package sqlite +Summary: SQLite support of the FreeRADIUS package +BuildRequires: sqlite-devel +Requires: %{name} = %{version}-%{release} + +%description sqlite +FreeRADIUS plugin providing SQLite support. + +%package help +Summary: Help document file of the FreeRADIUS package +Requires: %{name} = %{version}-%{release} +Provides: %{name}-doc = %{version}-%{release} +Obsoletes: %{name}-doc < %{version}-%{release} + +%description help +Help document of the FreeRADIUS package. + +%prep +%autosetup -n freeradius-server-%{version} -p1 + +%build +%configure \ + --libdir=%{_libdir}/freeradius --disable-openssl-version-check \ + --with-docdir=%{docdir} --with-rlm-sql_postgresql-include-dir=/usr/include/pgsql \ + --with-rlm-sql-postgresql-lib-dir=%{_libdir} \ + --with-rlm-sql_mysql-include-dir=/usr/include/mysql \ + --with-mysql-lib-dir=%{_libdir}/mariadb \ + --with-unixodbc-lib-dir=%{_libdir} --with-rlm-dbm-lib-dir=%{_libdir} \ + --with-rlm-krb5-include-dir=/usr/kerberos/include \ + --without-rlm_eap_ikev2 --without-rlm_eap_tnc --without-rlm_sql_iodbc \ + --without-rlm_sql_firebird --without-rlm_sql_db2 --without-rlm_sql_oracle \ + --without-rlm_unbound --without-rlm_redis --without-rlm_rediswho \ + --without-rlm_cache_memcached + +%make_build + +%install +install -d $RPM_BUILD_ROOT/%{_localstatedir}/lib/radiusd +make install R=$RPM_BUILD_ROOT + +install -d $RPM_BUILD_ROOT/var/log/radius/radacct +touch $RPM_BUILD_ROOT/var/log/radius/radutmp +touch $RPM_BUILD_ROOT/var/log/radius/radius.log + + +install -D -m 644 %{SOURCE1} $RPM_BUILD_ROOT/%{_unitdir}/radiusd.service +install -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d/radiusd +install -D -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/radiusd + +install -d %{buildroot}%{_tmpfilesdir} +install -d %{buildroot}%{_localstatedir}/run/ +install -d -m 0710 %{buildroot}%{_localstatedir}/run/radiusd/ +install -d -m 0700 %{buildroot}%{_localstatedir}/run/radiusd/tmp +install -m 0644 %{SOURCE4} %{buildroot}%{_tmpfilesdir}/radiusd.conf + +install -d $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/ +install -m 644 mibs/*RADIUS*.mib $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/ + +install -D LICENSE $RPM_BUILD_ROOT/%{docdir}/LICENSE.gpl +install -D src/lib/LICENSE $RPM_BUILD_ROOT/%{docdir}/LICENSE.lgpl +install -D src/LICENSE.openssl $RPM_BUILD_ROOT/%{docdir}/LICENSE.openssl + +for f in COPYRIGHT CREDITS INSTALL.rst README.rst VERSION; do + cp $f $RPM_BUILD_ROOT/%{docdir} +done + +%pre +getent group radiusd >/dev/null || /usr/sbin/groupadd -r -g 95 radiusd > /dev/null 2>&1 +getent passwd radiusd >/dev/null || /usr/sbin/useradd -r -g radiusd -u 95 -c "radiusd user" \ + -d %{_localstatedir}/lib/radiusd -s /sbin/nologin radiusd > /dev/null 2>&1 + +%post +%systemd_post radiusd.service +if [ $1 -eq 1 ]; then + if [ ! -e /etc/raddb/certs/server.pem ]; then + /sbin/runuser -g radiusd -c 'umask 007; /etc/raddb/certs/bootstrap' > /dev/null 2>&1 + fi +fi +exit 0 + +%preun +%systemd_preun radiusd.service + +%postun +%systemd_postun_with_restart radiusd.service +if [ $1 -eq 0 ]; then + getent passwd radiusd >/dev/null && /usr/sbin/userdel radiusd > /dev/null 2>&1 + getent group radiusd >/dev/null && /usr/sbin/groupdel radiusd > /dev/null 2>&1 +fi +exit 0 + +/bin/systemctl try-restart radiusd.service >/dev/null 2>&1 || : + +%files +%license %{docdir}/{LICENSE.gpl,LICENSE.lgpl,LICENSE.openssl} + +%config(noreplace) %{_sysconfdir}/pam.d/radiusd +%config(noreplace) %{_sysconfdir}/logrotate.d/radiusd +%{_unitdir}/radiusd.service +%{_tmpfilesdir}/radiusd.conf +%dir %attr(710,radiusd,radiusd) %{_localstatedir}/run/radiusd +%dir %attr(700,radiusd,radiusd) %{_localstatedir}/run/radiusd/tmp +%dir %attr(755,radiusd,radiusd) %{_localstatedir}/lib/radiusd + +# /etc/raddb dir +%dir %attr(755,root,radiusd) /etc/raddb +%defattr(-,root,radiusd) +/etc/raddb/README.rst +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/{panic.gdb,clients.conf,templates.conf,trigger.conf} +%attr(644,root,radiusd) %config(noreplace) /etc/raddb/dictionary +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/{proxy.conf,radiusd.conf} + +%config /etc/raddb/hints +%config /etc/raddb/huntgroups +%config(noreplace) /etc/raddb/users +%exclude /etc/raddb/experimental.conf + +# /etc/raddb/certs dir +%dir %attr(770,root,radiusd) /etc/raddb/certs +%config(noreplace) /etc/raddb/certs/{Makefile,passwords.mk,xpextensions} +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf +%attr(750,root,radiusd) /etc/raddb/certs/bootstrap +/etc/raddb/certs/README +%exclude /etc/raddb/certs/{*.crt,*.csr,*.der,*.key,*.pem,*.p12} +%exclude /etc/raddb/certs/{index.*,serial*,dh,random} + +# /etc/raddb/mods-config dir +%dir %attr(750,root,radiusd) /etc/raddb/mods-config +/etc/raddb/mods-config/README.rst +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/attr_filter +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/attr_filter/* +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/files +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/files/* +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/preprocess +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/preprocess/* + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/{counter,cui,ippool,ippool-dhcp,main} +%exclude /etc/raddb/mods-config/sql/main/mssql +%exclude /etc/raddb/mods-config/sql/ippool/oracle +%exclude /etc/raddb/mods-config/sql/ippool-dhcp/oracle +%exclude /etc/raddb/mods-config/sql/main/oracle +%exclude /etc/raddb/mods-config/sql/moonshot-targeted-ids +%exclude /etc/raddb/mods-config/unbound/default.conf + +# /etc/raddb/sites-available dir +%dir %attr(750,root,radiusd) /etc/raddb/sites-available +/etc/raddb/sites-available/README +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/{control-socket,decoupled-accounting} +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/{robust-proxy-accounting,soh,coa,example} +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/{inner-tunnel,dhcp,check-eap-tls,status} +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/{dhcp.relay,virtual.example.com} +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/{originate-coa,vmps,default} +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/{proxy-inner-tunnel,dynamic-clients} +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/{copy-acct-to-home-server,buffered-sql} +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/{tls,channel_bindings,challenge} +%exclude /etc/raddb/sites-available/abfab* + +# /etc/raddb/sites-enabled dir +%dir %attr(750,root,radiusd) /etc/raddb/sites-enabled +%config(missingok) /etc/raddb/sites-enabled/{inner-tunnel,default} + +# /etc/raddb/mods-available/ dir +%dir %attr(750,root,radiusd) /etc/raddb/mods-available +/etc/raddb/mods-available/README.rst +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/{always,attr_filter,cache} +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/{cache_eap,chap,counter,cui,date} +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/{detail,detail.example.com,detail.log} +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/{dhcp,dhcp_sqlippool,digest} +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/{dynamic_clients,eap,echo,etc_group} +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/{exec,expiration,expr,files,idn} +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/{inner-eap,ippool,linelog,logintime} +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/{mac2ip,mac2vlan,mschap,ntlm_auth} +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/{opendirectory,otp,pam,pap,passwd} +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/{preprocess,python,radutmp,realm} +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/{redis,rediswho,replicate,smbpasswd} +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/{smsotp,soh,sometimes,sql,sqlcounter} +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/{sqlippool,sradutmp,unix,unpack} +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/{utf8,wimax,yubikey} +%exclude /etc/raddb/mods-available/{unbound,couchbase,abfab*,moonshot-targeted-ids} + +# /etc/raddb/mods-enabled dir +%dir %attr(750,root,radiusd) /etc/raddb/mods-enabled +%config(missingok) /etc/raddb/mods-enabled/{always,attr_filter,cache_eap,chap,date,detail,detail.log} +%config(missingok) /etc/raddb/mods-enabled/{dhcp,digest,dynamic_clients,eap,echo,exec,expiration,expr} +%config(missingok) /etc/raddb/mods-enabled/{files,linelog,logintime,mschap,ntlm_auth,pap,passwd,preprocess} +%config(missingok) /etc/raddb/mods-enabled/{radutmp,realm,replicate,soh,sradutmp,unix,unpack,utf8} + +# /etc/raddb/policy.d dir +%dir %attr(750,root,radiusd) /etc/raddb/policy.d +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/{accounting,canonicalization,control,cui} +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/{debug,dhcp,eap,filter,operator-name} +%exclude /etc/raddb/policy.d/{abfab*,moonshot-targeted-ids} + +# /usr/sbin/binaries +%defattr(-,root,root) +/usr/sbin/{checkrad,raddebug,radiusd,radmin} +%exclude /usr/sbin/rc.radiusd + +# dictionaries +%dir %attr(755,root,root) /usr/share/freeradius +/usr/share/freeradius/* + +# logs +%dir %attr(700,radiusd,radiusd) /var/log/radius/ +%dir %attr(700,radiusd,radiusd) /var/log/radius/radacct/ +%ghost %attr(644,radiusd,radiusd) /var/log/radius/radutmp +%ghost %attr(600,radiusd,radiusd) /var/log/radius/radius.log + +# libs +%attr(755,root,root) %{_libdir}/freeradius/lib*.so* +%dir %attr(755,root,root) %{_libdir}/freeradius +%{_libdir}/freeradius/{proto_dhcp.so,proto_vmps.so,rlm_always.so,rlm_attr_filter.so,rlm_cache.so} +%{_libdir}/freeradius/{rlm_cache_rbtree.so,rlm_chap.so,rlm_counter.so,rlm_cram.so,rlm_date.so} +%{_libdir}/freeradius/{rlm_detail.so,rlm_dhcp.so,rlm_digest.so,rlm_dynamic_clients.so,rlm_eap.so} +%{_libdir}/freeradius/{rlm_eap_fast.so,rlm_eap_gtc.so,rlm_eap_leap.so,rlm_eap_md5.so,rlm_eap_mschapv2.so} +%{_libdir}/freeradius/{rlm_eap_peap.so,rlm_eap_pwd.so,rlm_eap_sim.so,rlm_eap_tls.so,rlm_eap_ttls.so} +%{_libdir}/freeradius/{rlm_exec.so,rlm_expiration.so,rlm_expr.so,rlm_files.so,rlm_ippool.so,rlm_linelog.so} +%{_libdir}/freeradius/{rlm_logintime.so,rlm_mschap.so,rlm_otp.so,rlm_pam.so,rlm_pap.so,rlm_passwd.so} +%{_libdir}/freeradius/{rlm_preprocess.so,rlm_radutmp.so,rlm_realm.so,rlm_replicate.so,rlm_soh.so} +%{_libdir}/freeradius/{rlm_sometimes.so,rlm_sql.so,rlm_sqlcounter.so,rlm_sqlippool.so,rlm_sql_null.so} +%{_libdir}/freeradius/{rlm_unix.so,rlm_unpack.so,rlm_utf8.so,rlm_wimax.so,rlm_yubikey.so} +%exclude %{_libdir}/freeradius/{*.a,*.la,rlm_test.so} + +# MIB files +%{_datadir}/snmp/mibs/*RADIUS*.mib + +# unixODBC +%{_libdir}/freeradius/rlm_sql_unixodbc.so + +# rest +%{_libdir}/freeradius/rlm_rest.so +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest + +%files help +%doc %{docdir}/ +# utils man pages +%doc %{_mandir}/man1/* +# main man pages +%doc %{_mandir}/man5/* +%doc %{_mandir}/man8/* + +%files utils +/usr/bin/* +%exclude /usr/bin/rbmonkey + +%files devel +/usr/include/freeradius + +%files krb5 +%{_libdir}/freeradius/rlm_krb5.so +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/krb5 + +%files perl +%{_libdir}/freeradius/rlm_perl.so +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/perl +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/perl +%attr(640,root,radiusd) /etc/raddb/mods-config/perl/example.pl + +%files -n python2-freeradius +%{_libdir}/freeradius/rlm_python.so +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/python +/etc/raddb/mods-config/python/{example.py*,radiusd.py*} + +%files mysql +%{_libdir}/freeradius/rlm_sql_mysql.so +/etc/raddb/mods-config/sql/main/ndb/README + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/mysql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/* + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/cui/mysql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/mysql/* + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/mysql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/* + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/mysql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/* + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/{setup.sql,queries.conf,schema.sql} + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql/extras +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql/extras/wimax +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/extras/wimax/* + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/ndb +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/ndb/{setup.sql,schema.sql} + +%files postgresql +%{_libdir}/freeradius/rlm_sql_postgresql.so +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/postgresql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/* + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/cui/postgresql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/postgresql/* + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/postgresql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/* + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/postgresql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/{setup.sql,queries.conf,schema.sql} + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/postgresql/extras +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/extras/* + +%files sqlite +%{_libdir}/freeradius/rlm_sql_sqlite.so +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/sqlite +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/* + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/cui/sqlite +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/sqlite/* + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/sqlite +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/sqlite/* + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/sqlite +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/sqlite/* + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/sqlite +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/* + +%files ldap +%{_libdir}/freeradius/rlm_ldap.so +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/ldap + +%changelog +* Fri Feb 14 2020 yanzhihua - 3.0.15-16 +- Package init + + diff --git a/radiusd.service b/radiusd.service new file mode 100644 index 0000000..67696ad --- /dev/null +++ b/radiusd.service @@ -0,0 +1,15 @@ +[Unit] +Description=FreeRADIUS high performance RADIUS server. +After=syslog.target network.target ipa.service dirsrv.target krb5kdc.service + +[Service] +Type=forking +PIDFile=/var/run/radiusd/radiusd.pid +ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd +ExecStartPre=/usr/sbin/radiusd -C +ExecStart=/usr/sbin/radiusd -d /etc/raddb +ExecReload=/usr/sbin/radiusd -C +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target