From: Fajar A. Nugraha Date: Fri, 10 Aug 2012 04:25:08 +0000 (+0700) Subject: Import freeradius-2.1.12-3.el6.src.rpm X-Git-Tag: release_2_2_0~75^2~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5444dc6ea4daf0449b7b53d3a2e65b90b3ff0667;p=thirdparty%2Ffreeradius-server.git Import freeradius-2.1.12-3.el6.src.rpm Import spec and additional files from freeradius-2.1.12-3.el6.src.rpm to redhat/ --- diff --git a/redhat/freeradius-cert-config.patch b/redhat/freeradius-cert-config.patch index 8390beb78ba..9967a152eeb 100644 --- a/redhat/freeradius-cert-config.patch +++ b/redhat/freeradius-cert-config.patch @@ -1,6 +1,6 @@ -diff -r -u freeradius-server-2.1.8.orig/raddb/certs/ca.cnf freeradius-server-2.1.8/raddb/certs/ca.cnf ---- freeradius-server-2.1.8.orig/raddb/certs/ca.cnf 2009-12-30 10:44:35.000000000 -0500 -+++ freeradius-server-2.1.8/raddb/certs/ca.cnf 2010-01-08 12:35:23.000000000 -0500 +diff -r -u freeradius-server-2.1.12.orig/raddb/certs/ca.cnf freeradius-server-2.1.12/raddb/certs/ca.cnf +--- freeradius-server-2.1.12.orig/raddb/certs/ca.cnf 2011-09-07 06:59:21.000000000 -0400 ++++ freeradius-server-2.1.12/raddb/certs/ca.cnf 2011-09-07 10:28:28.000000000 -0400 @@ -14,9 +14,9 @@ RANDFILE = $dir/.rand name_opt = ca_default @@ -13,10 +13,9 @@ diff -r -u freeradius-server-2.1.8.orig/raddb/certs/ca.cnf freeradius-server-2.1 preserve = no policy = policy_match -Only in freeradius-server-2.1.8/raddb/certs: ca.cnf~ -diff -r -u freeradius-server-2.1.8.orig/raddb/certs/client.cnf freeradius-server-2.1.8/raddb/certs/client.cnf ---- freeradius-server-2.1.8.orig/raddb/certs/client.cnf 2009-12-30 10:44:35.000000000 -0500 -+++ freeradius-server-2.1.8/raddb/certs/client.cnf 2010-01-08 12:35:37.000000000 -0500 +diff -r -u freeradius-server-2.1.12.orig/raddb/certs/client.cnf freeradius-server-2.1.12/raddb/certs/client.cnf +--- freeradius-server-2.1.12.orig/raddb/certs/client.cnf 2011-09-07 06:59:21.000000000 -0400 ++++ freeradius-server-2.1.12/raddb/certs/client.cnf 2011-09-07 10:28:28.000000000 -0400 @@ -14,9 +14,9 @@ RANDFILE = $dir/.rand name_opt = ca_default @@ -29,10 +28,9 @@ diff -r -u freeradius-server-2.1.8.orig/raddb/certs/client.cnf freeradius-server preserve = no policy = policy_match -Only in freeradius-server-2.1.8/raddb/certs: client.cnf~ -diff -r -u freeradius-server-2.1.8.orig/raddb/certs/server.cnf freeradius-server-2.1.8/raddb/certs/server.cnf ---- freeradius-server-2.1.8.orig/raddb/certs/server.cnf 2009-12-30 10:44:35.000000000 -0500 -+++ freeradius-server-2.1.8/raddb/certs/server.cnf 2010-01-08 12:35:05.000000000 -0500 +diff -r -u freeradius-server-2.1.12.orig/raddb/certs/server.cnf freeradius-server-2.1.12/raddb/certs/server.cnf +--- freeradius-server-2.1.12.orig/raddb/certs/server.cnf 2011-09-07 06:59:21.000000000 -0400 ++++ freeradius-server-2.1.12/raddb/certs/server.cnf 2011-09-07 10:28:28.000000000 -0400 @@ -14,9 +14,9 @@ RANDFILE = $dir/.rand name_opt = ca_default @@ -45,24 +43,20 @@ diff -r -u freeradius-server-2.1.8.orig/raddb/certs/server.cnf freeradius-server preserve = no policy = policy_match -Only in freeradius-server-2.1.8/raddb/certs: server.cnf~ -diff -r -u freeradius-server-2.1.8.orig/raddb/eap.conf freeradius-server-2.1.8/raddb/eap.conf ---- freeradius-server-2.1.8.orig/raddb/eap.conf 2009-12-30 10:44:35.000000000 -0500 -+++ freeradius-server-2.1.8/raddb/eap.conf 2010-01-08 12:36:04.000000000 -0500 -@@ -251,15 +251,6 @@ - cipher_list = "DEFAULT" - +diff -r -u freeradius-server-2.1.12.orig/raddb/eap.conf freeradius-server-2.1.12/raddb/eap.conf +--- freeradius-server-2.1.12.orig/raddb/eap.conf 2011-09-07 06:59:21.000000000 -0400 ++++ freeradius-server-2.1.12/raddb/eap.conf 2011-09-07 10:28:28.000000000 -0400 +@@ -281,7 +281,11 @@ + # for the server to print out an error message, + # and refuse to start. # -- -- # This configuration entry should be deleted -- # once the server is running in a normal -- # configuration. It is here ONLY to make -- # initial deployments easier. -- # - make_cert_command = "${certdir}/bootstrap" -- -- # - # Session resumption / fast reauthentication - # cache. ++ # Redhat RPM's run the bootstrap certificate creation ++ # as part of the RPM install (not upgrade), therefore ++ # the make_cert_command is commented out. ++ # ++ #make_cert_command = "${certdir}/bootstrap" + # -Only in freeradius-server-2.1.8/raddb: eap.conf~ + # Elliptical cryptography configuration +Only in freeradius-server-2.1.12/raddb: eap.conf.orig diff --git a/redhat/freeradius-logrotate b/redhat/freeradius-logrotate index 28afbc7f862..ec19fd373f3 100644 --- a/redhat/freeradius-logrotate +++ b/redhat/freeradius-logrotate @@ -30,6 +30,9 @@ create missingok compress + postrotate + /sbin/service radiusd reload + endscript } /var/log/radius/radutmp { @@ -54,7 +57,3 @@ compress missingok } - -lastrotate - kill -HUP `cat /var/run/radiusd/radiusd.pid` -endscript diff --git a/redhat/freeradius-man.patch b/redhat/freeradius-man.patch new file mode 100644 index 00000000000..6c694c5314f --- /dev/null +++ b/redhat/freeradius-man.patch @@ -0,0 +1,260 @@ +From 12bbe0c8289260f7db62e010a5e7168ce7bc5644 Mon Sep 17 00:00:00 2001 +From: John Dennis +Date: Fri, 13 Jan 2012 12:45:14 -0500 +Subject: [PATCH] Fix typo in name of rlm_dbm_parser man page +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +It was rlm_dbm_parse but should be rlm_dbm_parser to match the +executable name. Also fix name in man page. +--- + src/modules/rlm_dbm/Makefile.in | 2 +- + src/modules/rlm_dbm/rlm_dbm_parse.8 | 109 ---------------------------------- + src/modules/rlm_dbm/rlm_dbm_parser.8 | 109 ++++++++++++++++++++++++++++++++++ + 3 files changed, 110 insertions(+), 110 deletions(-) + delete mode 100644 src/modules/rlm_dbm/rlm_dbm_parse.8 + create mode 100644 src/modules/rlm_dbm/rlm_dbm_parser.8 + +diff --git a/src/modules/rlm_dbm/Makefile.in b/src/modules/rlm_dbm/Makefile.in +index f970538..cd537ec 100644 +--- a/src/modules/rlm_dbm/Makefile.in ++++ b/src/modules/rlm_dbm/Makefile.in +@@ -29,4 +29,4 @@ rlm_dbm_install: rlm_dbm_cat rlm_dbm_parser + $(LIBTOOL) --mode=install $(INSTALL) -m 755 $(INSTALLSTRIP) \ + rlm_dbm_parser$(EXEEXT) $(R)$(bindir) + $(INSTALL) -m 644 rlm_dbm_cat.8 $(R)$(mandir)/man8 +- $(INSTALL) -m 644 rlm_dbm_parse.8 $(R)$(mandir)/man8 ++ $(INSTALL) -m 644 rlm_dbm_parser.8 $(R)$(mandir)/man8 +diff --git a/src/modules/rlm_dbm/rlm_dbm_parse.8 b/src/modules/rlm_dbm/rlm_dbm_parse.8 +deleted file mode 100644 +index 51dd1fc..0000000 +--- a/src/modules/rlm_dbm/rlm_dbm_parse.8 ++++ /dev/null +@@ -1,109 +0,0 @@ +-.TH RLM_DBM_PARSE 8 +-.SH NAME +-rlm_dbm_parse - transforms simple syntax into rlm_dbm format +-.SH SYNOPSIS +-.B rlm_dbm_parse +-.RB [ \-c ] +-.RB [ \-d +-.IR raddb ] +-.RB [ \-i +-.IR inputfile ] +-.RB [ \-o +-.IR outputfile ] +-.RB [ \-x ] +-.RB [ \-v ] +-.RB [ \-q ] +-[\fIusername ...\fP] +- +-.SH DESCRIPTION +-\fBrlm_dbm_parse\fP reads a file of the syntax defined below, and writes +-a database file usable by rlm_dbm or edits current database. +-.PP +- +-.SH INPUT FORMAT +- +-\fIrlm_dbm_parse\fP reads a format similar to the one used by the files +-module. In incomplete RFC2234 ABNF, it looks like this: +- +-.nf +-entries = *entry +-entry = identifier TAB definition +-identifier = username / group-name +-username = +PCHAR +-groupname = +PCHAR +-definition = (check-item ",")* LF ( *( reply-item ",") / ";" ) LF +-check-item = AS IN FILES +-reply-item = AS IN FILES +-* need definition of username and groupname +-.fi +- +-As an example, these are the standard files definitions (files module). +- +-.nf +-DEFAULT Service-Type == Framed-User +- Framed-IP-Address = 255.255.255.254, +- Framed-MTU = 576, +- Service-Type = Framed-User, +- Fall-Through = Yes +- +-#except who call from number 555-666 +-DEFAULT Auth-Type := Reject,Service-Type ==Framed-User, +- Calling-Station-ID == "555-666" +- +-#or call number 555-667 +-DEFAULT Auth-Type := Reject,Service-Type ==Framed-User, +- Calling-Station-ID == "555-667" +-.fi +- +-To be a valid rlm_dbm input file, it should look like this: +- +-.nf +-DEFAULT Service-Type == Framed-User # (1) +- Framed-IP-Address = 255.255.255.254, # comma, list cont'd +- Framed-MTU = 576, +- Service-Type = Framed-User, +- Fall-Through = Yes # \\n, end of list +- Auth-Type := Reject,Service-Type ==Framed-User, # (2) +- Calling-Station-ID == "555-666" +- ; # ;, no reply items +- Auth-Type := Reject,Service-Type ==Framed-User, # (3) +- Calling-Station-ID == "555-667" +- ; # ditto +-.fi +- +-This user (the DEFAULT user) contains three entries, 1, 2 and 3. The +-first entry has a list of reply items, terminated by a reply item +-without a trailing comma. Entries 2 and 3 has empty reply lists, as +-indicated by the semicolon. This is necessary to separate an empty +-line (which is ignored) from the empty list. +-Definition Fall-Through = Yes used in order to say module to check next +-record. By default Fall-Through = Yes. +- +-.SH OPTIONS +- +-.IP \-d\ \fIraddb\fP +-Use \fIraddb\fP as the radiusd configuration directory. +-.IP \-i\ \fIinputfile\fP +-Use \fIfile\fP as the input file. If not defined then use standard input. +-.IP \-o\ \fIoutputfile\fP +-Use \fIfile\fP as the output file. +-.IP \-c +-Create a new database (empty output file before writing) +-.IP \-x +-Enable debug mode. Multiple x flags increase debug level. +-.IP \-q +-Do not print statistics (quiet). +-.IP \-v +-Print the version and exit. +-.IP \-r +-Remove a username or group name from the database. +- +-.SH SEE ALSO +-radiusd(8) +-.SH AUTHORS +-.TP +-Author: +-Andrei Koulik +-.TP +-Documentation: +-Bjørn Nordbø +diff --git a/src/modules/rlm_dbm/rlm_dbm_parser.8 b/src/modules/rlm_dbm/rlm_dbm_parser.8 +new file mode 100644 +index 0000000..94137da +--- /dev/null ++++ b/src/modules/rlm_dbm/rlm_dbm_parser.8 +@@ -0,0 +1,109 @@ ++.TH RLM_DBM_PARSER 8 ++.SH NAME ++rlm_dbm_parser - transforms simple syntax into rlm_dbm format ++.SH SYNOPSIS ++.B rlm_dbm_parser ++.RB [ \-c ] ++.RB [ \-d ++.IR raddb ] ++.RB [ \-i ++.IR inputfile ] ++.RB [ \-o ++.IR outputfile ] ++.RB [ \-x ] ++.RB [ \-v ] ++.RB [ \-q ] ++[\fIusername ...\fP] ++ ++.SH DESCRIPTION ++\fBrlm_dbm_parser\fP reads a file of the syntax defined below, and writes ++a database file usable by rlm_dbm or edits current database. ++.PP ++ ++.SH INPUT FORMAT ++ ++\fIrlm_dbm_parser\fP reads a format similar to the one used by the files ++module. In incomplete RFC2234 ABNF, it looks like this: ++ ++.nf ++entries = *entry ++entry = identifier TAB definition ++identifier = username / group-name ++username = +PCHAR ++groupname = +PCHAR ++definition = (check-item ",")* LF ( *( reply-item ",") / ";" ) LF ++check-item = AS IN FILES ++reply-item = AS IN FILES ++* need definition of username and groupname ++.fi ++ ++As an example, these are the standard files definitions (files module). ++ ++.nf ++DEFAULT Service-Type == Framed-User ++ Framed-IP-Address = 255.255.255.254, ++ Framed-MTU = 576, ++ Service-Type = Framed-User, ++ Fall-Through = Yes ++ ++#except who call from number 555-666 ++DEFAULT Auth-Type := Reject,Service-Type ==Framed-User, ++ Calling-Station-ID == "555-666" ++ ++#or call number 555-667 ++DEFAULT Auth-Type := Reject,Service-Type ==Framed-User, ++ Calling-Station-ID == "555-667" ++.fi ++ ++To be a valid rlm_dbm input file, it should look like this: ++ ++.nf ++DEFAULT Service-Type == Framed-User # (1) ++ Framed-IP-Address = 255.255.255.254, # comma, list cont'd ++ Framed-MTU = 576, ++ Service-Type = Framed-User, ++ Fall-Through = Yes # \\n, end of list ++ Auth-Type := Reject,Service-Type ==Framed-User, # (2) ++ Calling-Station-ID == "555-666" ++ ; # ;, no reply items ++ Auth-Type := Reject,Service-Type ==Framed-User, # (3) ++ Calling-Station-ID == "555-667" ++ ; # ditto ++.fi ++ ++This user (the DEFAULT user) contains three entries, 1, 2 and 3. The ++first entry has a list of reply items, terminated by a reply item ++without a trailing comma. Entries 2 and 3 has empty reply lists, as ++indicated by the semicolon. This is necessary to separate an empty ++line (which is ignored) from the empty list. ++Definition Fall-Through = Yes used in order to say module to check next ++record. By default Fall-Through = Yes. ++ ++.SH OPTIONS ++ ++.IP \-d\ \fIraddb\fP ++Use \fIraddb\fP as the radiusd configuration directory. ++.IP \-i\ \fIinputfile\fP ++Use \fIfile\fP as the input file. If not defined then use standard input. ++.IP \-o\ \fIoutputfile\fP ++Use \fIfile\fP as the output file. ++.IP \-c ++Create a new database (empty output file before writing) ++.IP \-x ++Enable debug mode. Multiple x flags increase debug level. ++.IP \-q ++Do not print statistics (quiet). ++.IP \-v ++Print the version and exit. ++.IP \-r ++Remove a username or group name from the database. ++ ++.SH SEE ALSO ++radiusd(8) ++.SH AUTHORS ++.TP ++Author: ++Andrei Koulik ++.TP ++Documentation: ++Bjørn Nordbø +-- +1.7.7.5 + diff --git a/redhat/freeradius-perl.patch b/redhat/freeradius-perl.patch new file mode 100644 index 00000000000..8e451422fc8 --- /dev/null +++ b/redhat/freeradius-perl.patch @@ -0,0 +1,65 @@ +commit ecb3cd1dbedb764ab98532dae5e0b5bfc9571b00 +Author: Alan T. DeKok +Date: Thu Dec 1 14:21:03 2011 +0100 + + Perl clone should be called sequentially, not in parallel. + + Adding a mutex fixes this. + + Patch from Eike Dehling + +diff --git a/src/modules/rlm_perl/rlm_perl.c b/src/modules/rlm_perl/rlm_perl.c +index 5c82e89..4682ba5 100644 +--- a/src/modules/rlm_perl/rlm_perl.c ++++ b/src/modules/rlm_perl/rlm_perl.c +@@ -77,6 +77,8 @@ typedef struct perl_inst { + char *perl_flags; + PerlInterpreter *perl; + pthread_key_t *thread_key; ++ ++ pthread_mutex_t clone_mutex; + } PERL_INST; + /* + * A mapping of configuration file names to internal variables. +@@ -434,6 +436,8 @@ static int perl_instantiate(CONF_SECTION *conf, void **instance) + */ + + #ifdef USE_ITHREADS ++ pthread_mutex_init(&inst->clone_mutex, NULL); ++ + inst->thread_key = rad_malloc(sizeof(*inst->thread_key)); + memset(inst->thread_key,0,sizeof(*inst->thread_key)); + +@@ -656,8 +660,10 @@ static int rlmperl_call(void *instance, REQUEST *request, char *function_name) + HV *rad_request_hv; + HV *rad_request_proxy_hv; + HV *rad_request_proxy_reply_hv; +- ++ + #ifdef USE_ITHREADS ++ pthread_mutex_lock(&inst->clone_mutex); ++ + PerlInterpreter *interp; + + interp = rlm_perl_clone(inst->perl,inst->thread_key); +@@ -665,9 +671,12 @@ static int rlmperl_call(void *instance, REQUEST *request, char *function_name) + dTHXa(interp); + PERL_SET_CONTEXT(interp); + } ++ ++ pthread_mutex_unlock(&inst->clone_mutex); + #else + PERL_SET_CONTEXT(inst->perl); + #endif ++ + { + dSP; + +@@ -974,6 +983,7 @@ static int perl_detach(void *instance) + + #ifdef USE_ITHREADS + rlm_perl_destruct(inst->perl); ++ pthread_mutex_destroy(&inst->clone_mutex); + #else + perl_destruct(inst->perl); + perl_free(inst->perl); diff --git a/redhat/freeradius-postgres-sql.patch b/redhat/freeradius-postgres-sql.patch new file mode 100644 index 00000000000..08cc706da03 --- /dev/null +++ b/redhat/freeradius-postgres-sql.patch @@ -0,0 +1,11 @@ +diff -r -u freeradius-server-2.1.12.orig/raddb/sql/postgresql/admin.sql freeradius-server-2.1.12.work/raddb/sql/postgresql/admin.sql +--- freeradius-server-2.1.12.orig/raddb/sql/postgresql/admin.sql 2011-09-30 10:12:07.000000000 -0400 ++++ freeradius-server-2.1.12.work/raddb/sql/postgresql/admin.sql 2012-02-28 13:16:36.329403383 -0500 +@@ -28,5 +28,5 @@ + /* + * The server can write to the accounting and post-auth logging table. + */ +-GRANT ALL on radius.radacct TO radius; +-GRANT ALL on radius.radpostauth TO radius; ++GRANT ALL on radacct TO radius; ++GRANT ALL on radpostauth TO radius; diff --git a/redhat/freeradius-radeapclient-ipv6.patch b/redhat/freeradius-radeapclient-ipv6.patch new file mode 100644 index 00000000000..761b5990f8b --- /dev/null +++ b/redhat/freeradius-radeapclient-ipv6.patch @@ -0,0 +1,158 @@ +diff -r -u freeradius-server-2.1.12.orig/man/man1/radeapclient.1 freeradius-server-2.1.12.work/man/man1/radeapclient.1 +--- freeradius-server-2.1.12.orig/man/man1/radeapclient.1 2011-09-30 10:12:07.000000000 -0400 ++++ freeradius-server-2.1.12.work/man/man1/radeapclient.1 2012-02-28 11:11:46.023456307 -0500 +@@ -3,6 +3,8 @@ + radeapclient - send EAP packets to a RADIUS server, calculate responses + .SH SYNOPSIS + .B radeapclient ++.RB [ \-4 ] ++.RB [ \-6 ] + .RB [ \-c + .IR count ] + .RB [ \-d +@@ -27,7 +29,7 @@ + \fBradeapclient\fP is a radius client program. It can send arbitrary radius + packets to a radius server, then shows the reply. Radeapclient differs from + radclient in that if there is an EAP-MD5 challenge, then it will be responded +-to. ++to. + .PP + \fBradeapclient\fP is otherwise identical to \fBradclient\fP. + .PP +@@ -36,11 +38,15 @@ + .PP + .PP + The \fIEAP-MD5-Password\fP attribute, if present is used to respond to an +-MD5 challenge. ++MD5 challenge. + .PP + No other EAP types are currently supported. + + .SH OPTIONS ++.IP \-4 ++Use IPv4 (default) ++.IP \-6 ++Use IPv6 + .IP \-c\ \fIcount\fP + Send each packet \fIcount\fP times. + .IP \-d\ \fIraddb\fP +@@ -82,7 +88,7 @@ + echo 'EAP-Type-Identity = "bob"; + echo 'Message-Authenticator = 0x00'; + echo 'NAS-Port = 0' ) >req.txt +- ++ + radeapclient -x localhost auth testing123 dst_ipaddr; + port = packet->dst_port; + } +- ++ + /* + * Client-specific debugging re-prints the input + * packet into the client log. +@@ -975,15 +977,22 @@ + FILE *fp; + int count = 1; + int id; ++ int force_af = AF_UNSPEC; + + id = ((int)getpid() & 0xff); + fr_debug_flag = 0; + + radlog_dest = RADLOG_STDERR; + +- while ((c = getopt(argc, argv, "c:d:f:hi:qst:r:S:xXv")) != EOF) ++ while ((c = getopt(argc, argv, "46c:d:f:hi:qst:r:S:xXv")) != EOF) + { + switch(c) { ++ case '4': ++ force_af = AF_INET; ++ break; ++ case '6': ++ force_af = AF_INET6; ++ break; + case 'c': + if (!isdigit((int) *optarg)) + usage(); +@@ -1106,11 +1115,45 @@ + req->id = id; + + /* +- * Strip port from hostname if needed. ++ * Resolve hostname. + */ +- if ((p = strchr(argv[1], ':')) != NULL) { +- *p++ = 0; +- port = atoi(p); ++ if (force_af == AF_UNSPEC) force_af = AF_INET; ++ req->dst_ipaddr.af = force_af; ++ if (strcmp(argv[1], "-") != 0) { ++ const char *hostname = argv[1]; ++ const char *portname = argv[1]; ++ char buffer[256]; ++ ++ if (*argv[1] == '[') { /* IPv6 URL encoded */ ++ p = strchr(argv[1], ']'); ++ if ((size_t) (p - argv[1]) >= sizeof(buffer)) { ++ usage(); ++ } ++ ++ memcpy(buffer, argv[1] + 1, p - argv[1] - 1); ++ buffer[p - argv[1] - 1] = '\0'; ++ ++ hostname = buffer; ++ portname = p + 1; ++ ++ } ++ p = strchr(portname, ':'); ++ if (p && (strchr(p + 1, ':') == NULL)) { ++ *p = '\0'; ++ portname = p + 1; ++ } else { ++ portname = NULL; ++ } ++ ++ if (ip_hton(hostname, force_af, &req->dst_ipaddr) < 0) { ++ fprintf(stderr, "radclient: Failed to find IP address for host %s: %s\n", hostname, strerror(errno)); ++ exit(1); ++ } ++ ++ /* ++ * Strip port from hostname if needed. ++ */ ++ if (portname) port = atoi(portname); + } + + /* +@@ -1143,15 +1186,7 @@ + } else { + usage(); + } +- +- /* +- * Resolve hostname. +- */ + req->dst_port = port; +- if (ip_hton(argv[1], AF_INET, &req->dst_ipaddr) < 0) { +- fprintf(stderr, "radclient: Failed to find IP address for host %s\n", argv[1]); +- exit(1); +- } + + /* + * Add the secret. diff --git a/redhat/freeradius-radtest.patch b/redhat/freeradius-radtest.patch new file mode 100644 index 00000000000..2974b158e95 --- /dev/null +++ b/redhat/freeradius-radtest.patch @@ -0,0 +1,13 @@ +diff -u -r freeradius-server-2.1.12.orig/src/main/radtest.in freeradius-server-2.1.12/src/main/radtest.in +--- freeradius-server-2.1.12.orig/src/main/radtest.in 2011-09-30 10:12:07.000000000 -0400 ++++ freeradius-server-2.1.12/src/main/radtest.in 2012-01-05 15:51:56.877585514 -0500 +@@ -121,7 +121,7 @@ + echo "EAP-Code = Response" + echo "EAP-Type-Identity = \"$1\"" + fi +- if [ "$6" ] ++ if [ ! -z "$6" ] && [[ $6 =~ ^[0-9]+$ ]] && [ $6 -gt 0 ] + then + echo "Framed-Protocol = PPP" + fi +Only in freeradius-server-2.1.12/src/main: radtest.in~ diff --git a/redhat/freeradius-unix-passwd-expire.patch b/redhat/freeradius-unix-passwd-expire.patch new file mode 100644 index 00000000000..ee75c3aa2a1 --- /dev/null +++ b/redhat/freeradius-unix-passwd-expire.patch @@ -0,0 +1,39 @@ +--- freeradius-server-2.1.12.orig/src/modules/rlm_unix/rlm_unix.c 2011-09-30 10:12:07.000000000 -0400 ++++ freeradius/freeradius-server/src/modules/rlm_unix/rlm_unix.c 2012-02-27 15:10:19.782821614 -0500 +@@ -274,9 +274,17 @@ + /* + * Check if password has expired. + */ ++ if (spwd && spwd->sp_lstchg > 0 && spwd->sp_max >= 0 && ++ (request->timestamp / 86400) > (spwd->sp_lstchg + spwd->sp_max)) { ++ radlog_request(L_AUTH, 0, request, "[%s]: password has expired", name); ++ return RLM_MODULE_REJECT; ++ } ++ /* ++ * Check if account has expired. ++ */ + if (spwd && spwd->sp_expire > 0 && + (request->timestamp / 86400) > spwd->sp_expire) { +- radlog_request(L_AUTH, 0, request, "[%s]: password has expired", name); ++ radlog_request(L_AUTH, 0, request, "[%s]: account has expired", name); + return RLM_MODULE_REJECT; + } + #endif +@@ -363,7 +371,7 @@ + if (fr_crypt_check((char *) request->password->vp_strvalue, + (char *) vp->vp_strvalue) != 0) { + radlog_request(L_AUTH, 0, request, "invalid password \"%s\"", +- request->username->vp_strvalue); ++ request->password->vp_strvalue); + return RLM_MODULE_REJECT; + } + #endif /* OSFFIA */ +@@ -440,7 +448,7 @@ + * Which type is this. + */ + if ((vp = pairfind(request->packet->vps, PW_ACCT_STATUS_TYPE))==NULL) { +- radlog(L_ERR, "rlm_unix: no Accounting-Status-Type attribute in request."); ++ RDEBUG("no Accounting-Status-Type attribute in request."); + return RLM_MODULE_NOOP; + } + status = vp->vp_integer; diff --git a/redhat/freeradius.spec b/redhat/freeradius.spec index 29d1524e518..1063a0c8032 100644 --- a/redhat/freeradius.spec +++ b/redhat/freeradius.spec @@ -1,7 +1,7 @@ Summary: High-performance and highly configurable free RADIUS server Name: freeradius -Version: 2.2.0 -Release: 1%{?dist} +Version: 2.1.12 +Release: 3%{?dist} License: GPLv2+ and LGPLv2+ Group: System Environment/Daemons URL: http://www.freeradius.org/ @@ -12,6 +12,12 @@ Source102: freeradius-logrotate Source103: freeradius-pam-conf Patch1: freeradius-cert-config.patch +Patch2: freeradius-radtest.patch +Patch3: freeradius-man.patch +Patch4: freeradius-unix-passwd-expire.patch +Patch5: freeradius-radeapclient-ipv6.patch +Patch6: freeradius-postgres-sql.patch +Patch7: freeradius-perl.patch Obsoletes: freeradius-devel Obsoletes: freeradius-libs @@ -142,6 +148,13 @@ This plugin provides the unixODBC support for the FreeRADIUS server project. %prep %setup -q -n freeradius-server-%{version} %patch1 -p1 -b .cert-config +%patch2 -p1 -b .radtest +%patch3 -p1 -b .man +%patch4 -p1 -b unix-passwd-expire +%patch5 -p1 -b radeapclient-ipv6 +%patch6 -p1 -b postgres-sql +%patch7 -p1 -b perl + # Some source files mistakenly have execute permissions set find $RPM_BUILD_DIR/freeradius-server-%{version} \( -name '*.c' -o -name '*.h' \) -a -perm /0111 -exec chmod a-x {} + @@ -156,6 +169,7 @@ export CFLAGS="$RPM_OPT_FLAGS -fpic" --libdir=%{_libdir}/freeradius \ --with-system-libtool \ --disable-ltdl-install \ + --with-udpfromto \ --with-gnu-ld \ --with-threads \ --with-thread-pool \ @@ -178,12 +192,10 @@ export CFLAGS="$RPM_OPT_FLAGS -fpic" perl -pi -e 's:sys_lib_search_path_spec=.*:sys_lib_search_path_spec="/lib64 /usr/lib64 /usr/local/lib64":' libtool %endif -make +make LINK_MODE=-pie %install -rm -rf $RPM_BUILD_ROOT -mkdir -p $RPM_BUILD_ROOT/var/run/radiusd -mkdir -p $RPM_BUILD_ROOT/var/lib/radiusd +mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/lib/radiusd # fix for bad libtool bug - can not rebuild dependent libs and bins #FIXME export LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir} make install R=$RPM_BUILD_ROOT @@ -199,6 +211,9 @@ install -D -m 755 %{SOURCE100} $RPM_BUILD_ROOT/%{initddir}/radiusd install -D -m 644 %{SOURCE102} $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d/radiusd install -D -m 644 %{SOURCE103} $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/radiusd +mkdir -p %{buildroot}%{_localstatedir}/run/ +install -d -m 0710 %{buildroot}%{_localstatedir}/run/radiusd/ + # remove unneeded stuff rm -rf doc/00-OLD rm -f $RPM_BUILD_ROOT/usr/sbin/rc.radiusd @@ -210,7 +225,7 @@ rm -rf $RPM_BUILD_ROOT/%{_datadir}/dialup_admin/sql/oracle rm -rf $RPM_BUILD_ROOT/%{_datadir}/dialup_admin/lib/sql/oracle rm -rf $RPM_BUILD_ROOT/%{_datadir}/dialup_admin/lib/sql/drivers/oracle -# remove header files, we don't ship a devel package and the +# remove header files, we don't ship a devel package and the # headers have multilib conflicts rm -rf $RPM_BUILD_ROOT/%{_includedir} @@ -237,37 +252,39 @@ Please reference that document. EOF -%clean -rm -rf $RPM_BUILD_ROOT - - # Make sure our user/group is present prior to any package or subpackage installation %pre -getent group radiusd >/dev/null || /usr/sbin/groupadd -r -g 95 radiusd +getent group radiusd >/dev/null || /usr/sbin/groupadd -r -g 95 radiusd > /dev/null 2>&1 getent passwd radiusd >/dev/null || /usr/sbin/useradd -r -g radiusd -u 95 -c "radiusd user" -s /sbin/nologin radiusd > /dev/null 2>&1 exit 0 %post -if [ $1 = 1 ]; then +if [ $1 -eq 1 ]; then # install /sbin/chkconfig --add radiusd if [ ! -e /etc/raddb/certs/server.pem ]; then - /sbin/runuser -g radiusd -c 'umask 007; /etc/raddb/certs/bootstrap' > /dev/null 2>&1 || : + /sbin/runuser -g radiusd -c 'umask 007; /etc/raddb/certs/bootstrap' > /dev/null 2>&1 fi fi +exit 0 %preun -if [ $1 = 0 ]; then +if [ $1 -eq 0 ]; then # uninstall /sbin/service radiusd stop > /dev/null 2>&1 /sbin/chkconfig --del radiusd fi +exit 0 %postun -if [ $1 -ge 1 ]; then - /sbin/service radiusd condrestart >/dev/null 2>&1 || : +if [ $1 -ge 1 ]; then # upgrade + /sbin/service radiusd condrestart >/dev/null 2>&1 fi - +if [ $1 -eq 0 ]; then # uninstall + getent passwd radiusd >/dev/null && /usr/sbin/userdel radiusd > /dev/null 2>&1 + getent group radiusd >/dev/null && /usr/sbin/groupdel radiusd > /dev/null 2>&1 +fi +exit 0 %files %defattr(-,root,root) @@ -275,7 +292,8 @@ fi %config(noreplace) %{_sysconfdir}/pam.d/radiusd %config(noreplace) %{_sysconfdir}/logrotate.d/radiusd %{initddir}/radiusd -%dir %attr(755,radiusd,radiusd) /var/lib/radiusd +%dir %attr(710,radiusd,radiusd) %{_localstatedir}/run/radiusd +%dir %attr(755,radiusd,radiusd) %{_localstatedir}/lib/radiusd # configs %dir %attr(755,root,radiusd) /etc/raddb %defattr(-,root,radiusd) @@ -361,7 +379,6 @@ fi %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/sradutmp %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/unix %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/wimax -%dir %attr(755,radiusd,radiusd) /var/run/radiusd/ # binaries %defattr(-,root,root) /usr/sbin/checkrad @@ -510,7 +527,6 @@ fi %{_libdir}/freeradius/rlm_wimax-%{version}.so %files utils -%defattr(-,root,root) /usr/bin/* # man-pages %doc %{_mandir}/man1/radclient.1.gz @@ -519,27 +535,30 @@ fi %doc %{_mandir}/man1/radtest.1.gz %doc %{_mandir}/man1/radwho.1.gz %doc %{_mandir}/man1/radzap.1.gz +%doc %{_mandir}/man1/smbencrypt.1.gz +%doc %{_mandir}/man5/checkrad.5.gz +%doc %{_mandir}/man8/radconf2xml.8.gz +%doc %{_mandir}/man8/radcrypt.8.gz +%doc %{_mandir}/man8/radsniff.8.gz %doc %{_mandir}/man8/radsqlrelay.8.gz +%doc %{_mandir}/man8/rlm_dbm_cat.8.gz +%doc %{_mandir}/man8/rlm_dbm_parser.8.gz %doc %{_mandir}/man8/rlm_ippool_tool.8.gz %files krb5 -%defattr(-,root,root) %{_libdir}/freeradius/rlm_krb5.so %{_libdir}/freeradius/rlm_krb5-%{version}.so %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/krb5 %files perl -%defattr(-,root,root) %{_libdir}/freeradius/rlm_perl.so %{_libdir}/freeradius/rlm_perl-%{version}.so %files python -%defattr(-,root,root) %{_libdir}/freeradius/rlm_python.so %{_libdir}/freeradius/rlm_python-%{version}.so %files mysql -%defattr(-,root,root) %dir %attr(750,root,radiusd) /etc/raddb/sql/mysql %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sql/mysql/* %dir %attr(750,root,radiusd) /etc/raddb/sql/ndb @@ -548,27 +567,51 @@ fi %{_libdir}/freeradius/rlm_sql_mysql-%{version}.so %files postgresql -%defattr(-,root,root) %dir %attr(750,root,radiusd) /etc/raddb/sql/postgresql %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sql/postgresql/* %{_libdir}/freeradius/rlm_sql_postgresql.so %{_libdir}/freeradius/rlm_sql_postgresql-%{version}.so %files ldap -%defattr(-,root,root) %attr(640,root,radiusd) %config(noreplace) /etc/raddb/ldap.attrmap %{_libdir}/freeradius/rlm_ldap.so %{_libdir}/freeradius/rlm_ldap-%{version}.so %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/ldap %files unixODBC -%defattr(-,root,root) %{_libdir}/freeradius/rlm_sql_unixodbc.so %{_libdir}/freeradius/rlm_sql_unixodbc-%{version}.so %changelog -* Wed Sep 22 2010 John Dennis - 2.1.10-1 -- upgrade to latest upstream release +* Tue Apr 10 2012 John Dennis - 2.1.12-2 +- resolves: bug#810605 Segfault with freeradius-perl threading + +* Mon Feb 27 2012 John Dennis - 2.1.12-1 +- Upgrade to latest upstream release: 2.1.12 + resolves: bug#736878 Rebase to latest upstream + resolves: bug#705723 logrotate script does not reload running daemon + resolves: bug#787116 radtest PPPhint option not parsed correctly + resolves: bug#700870 freeradius not compiled with --with-udpfromto + resolves: bug#753764 shadow password expiration does not work + resolves: bug#712803 radtest script is not working with eap-md5 option + resolves: bug#690756 errors in raddb/sql/postgresql/admin.sql template + +* Thu Mar 24 2011 John Dennis - 2.1.10-5 +- Resolves: #689045 Using rlm_perl cause radiusd failed to start + Fix configure typo which caused lt_dladvise_* functions to be skipped. + run autogen.sh because HAVE_LT_DLADVISE_INIT isn't in src/main/autogen.h + Implemented by: freeradius-lt-dladvise.patch + +* Wed Feb 23 2011 John Dennis - 2.1.10-4 +- Resolves: #599528 - make radtest IPv6 compatible + +* Wed Jan 12 2011 John Dennis - 2.1.10-3 +- Resolves: #644100, Rebase to current release +- Fix 666589 - removing freeradius from system does not delete the user "radiusd" + fix scriptlet argument testing, simplify always exiting with zero + +* Tue Oct 19 2010 John Dennis - 2.1.10-1 +- Upgrade to latest upstream release Feature improvements * Install the "radcrypt" program. * Enable radclient to send requests containing MS-CHAPv1 @@ -601,8 +644,8 @@ fi * Add Module-Failure-Message for mschap module (ntlm_auth) * made rlm_sql_sqlite database configurable. Use "filename" in sql{} section. - * Added %{tolower: ...string ... }, which returns the lowercase - version of the string. + * Added %%{tolower: ...string ... }, which returns the lowercase + version of the string. Also added %%{toupper: ... } for uppercase. Bug fixes * Fix endless loop when there are multiple sub-options for @@ -694,8 +737,8 @@ fi * Fix hang on startup when multiple home servers were defined with "src_ipaddr" field. * Fix 32/64 bit issue in rlm_ldap. Closes bug #105. - * If the first "listen" section uses 127.0.0.1, don't use that - as the source IP for proxying. It won't work. + * If the first "listen" section defines 127.0.0.1, don't use that + as a source IP for proxying. It won't work. * When Proxy-To-Realm is set to a non-existent realm, the EAP module should handle the request, rather than expecting it to be proxied. * Fix IPv4 issues with udpfromto. Closes bug #110. @@ -704,16 +747,20 @@ fi * Multiple calls to ber_printf seem to work better. Closes #106. * Fix "unlang" so that "attribute not found" is treated as a "false" comparison, rather than a syntax error in the configuration. + * Fix issue with "Group" attribute. +* Fri Sep 3 2010 Nalin Dahyabhai - 2.1.9-3 +- Resolves: bug #629951 + override LINK_MODE at compile-time to add -pie to linker flags, so that + radiusd will be built as a PIE -* Sat Jul 31 2010 Orcan Ogetbil - 2.1.9-3 -- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild - -* Tue Jun 01 2010 Marcela Maslanova - 2.1.9-2 -- Mass rebuild with perl-5.12.0 +* Thu Jun 10 2010 John Dennis - 2.1.9-2 +- Resolves: bug #599521 + use DNS to resolve NAS-IPv6-Address attribute * Mon May 24 2010 John Dennis - 2.1.9-1 - update to latest upstream, mainly bug fix release +- Resolves: bug #584101 Feature improvements * Add radmin command "stats detail " to see what is going on inside of a detail file reader. @@ -787,12 +834,15 @@ fi * Allow spaces when parsing integer values. This helps people who put "too much" into an SQL value field. +* Thu Apr 8 2010 John Dennis - 2.1.8-3 +- Resolves: bug #539466 + * Thu Jan 7 2010 John Dennis - 2.1.8-2 -- resolves: bug #526559 initial install should run bootstrap to create certificates +- bug #526559 initial install should run bootstrap to create certificates running radiusd in debug mode to generate inital temporary certificates is no longer necessary, the /etc/raddb/certs/bootstrap is invoked on initial rpm install (not upgrade) if there is no existing /etc/raddb/certs/server.pem file -- resolves: bug #528493 use sha1 algorithm instead of md5 during cert generation +- bug #528493 use sha1 algorithm instead of md5 during cert generation the certificate configuration (/etc/raddb/certs/{ca,server,client}.cnf) files were modifed to use sha1 instead of md5 and the validity reduced from 1 year to 2 months @@ -865,7 +915,7 @@ fi - rebuild against perl 5.10.1 * Thu Dec 3 2009 John Dennis - 2.1.7-3 -- resolves: bug #522111 non-conformant initscript +- bug #522111 non-conformant initscript also change permission of /var/run/radiusd from 0700 to 0755 so that "service radiusd status" can be run as non-root diff --git a/redhat/radiusd-logrotate b/redhat/radiusd-logrotate deleted file mode 100644 index 8c5c6fbba95..00000000000 --- a/redhat/radiusd-logrotate +++ /dev/null @@ -1,56 +0,0 @@ -# You can use this to rotate the /var/log/radius/* files, simply copy -# it to /etc/logrotate.d/radiusd - -# There are different detail-rotating strategies you can use. One is -# to write to a single detail file per IP and use the rotate config -# below. Another is to write to a daily detail file per IP with: -# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail -# (or similar) in radiusd.conf, without rotation. If you go with the -# second technique, you will need another cron job that removes old -# detail files. You do not need to comment out the below for method #2. -/var/log/radius/radacct/*/detail { - monthly - rotate 4 - nocreate - missingok - compress -} - -/var/log/radius/checkrad.log { - monthly - rotate 4 - create - missingok - compress -} - -/var/log/radius/radius.log { - monthly - rotate 4 - create - missingok - compress -} - -/var/log/radius/radutmp { - monthly - rotate 4 - create - compress - missingok -} - -/var/log/radius/radwtmp { - monthly - rotate 4 - create - compress - missingok -} -/var/log/radius/sqltrace.sql { - monthly - rotate 4 - create - compress - missingok -} diff --git a/redhat/radiusd-pam b/redhat/radiusd-pam deleted file mode 100644 index a4dd2b53705..00000000000 --- a/redhat/radiusd-pam +++ /dev/null @@ -1,7 +0,0 @@ -#%PAM-1.0 -auth required /lib/security/pam_unix_auth.so shadow nullok -auth required /lib/security/pam_nologin.so -account required /lib/security/pam_unix_acct.so -password required /lib/security/pam_cracklib.so -password required /lib/security/pam_unix_password.so shadow nullok use_authtok -session required /lib/security/pam_unix_session.so