From: Alan T. DeKok <aland@freeradius.org>
Date: Mon, 4 Jul 2011 16:02:54 +0000 (+0200)
Subject: Allow root to connect to control socket
X-Git-Tag: release_2_1_12~76
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4efb1f72848d197451b0b5bd700eadecbbe86a36;p=thirdparty%2Ffreeradius-server.git

Allow root to connect to control socket

Even if the configured "allowed UID" has a different value.
They're root, so they can do anything.  We might as well be polite.
---

diff --git a/src/main/command.c b/src/main/command.c
index b644ec883f5..85f76c72b30 100644
--- a/src/main/command.c
+++ b/src/main/command.c
@@ -2292,18 +2292,26 @@ static int command_domain_accept(rad_listen_t *listener,
 			return 0;
 		}
 
-		if (sock->uid_name && (sock->uid != uid)) {
-			radlog(L_ERR, "Unauthorized connection to %s from uid %ld",
-			       sock->path, (long int) uid);
-			close(newfd);
-			return 0;
-		}
+		/*
+		 *	Only do UID checking if the caller is
+		 *	non-root.  The superuser can do anything, so
+		 *	we might as well let them.
+		 */
+		if (uid != 0) {
+			if (sock->uid_name && (sock->uid != uid)) {
+				radlog(L_ERR, "Unauthorized connection to %s from uid %ld",
 
-		if (sock->gid_name && (sock->gid != gid)) {
-			radlog(L_ERR, "Unauthorized connection to %s from gid %ld",
-			       sock->path, (long int) gid);
-			close(newfd);
-			return 0;
+				       sock->path, (long int) uid);
+				close(newfd);
+				return 0;
+			}
+
+			if (sock->gid_name && (sock->gid != gid)) {
+				radlog(L_ERR, "Unauthorized connection to %s from gid %ld",
+				       sock->path, (long int) gid);
+				close(newfd);
+				return 0;
+			}
 		}
 	}