The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
main_config.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 62becaa5f0ec0cc740d3a21fd455609fe1068b93 $
19 *
20 * @brief Handle the the main server's (radiusd) configuration.
21 * @file src/lib/server/main_config.c
22 *
23 * @copyright 2002,2006-2007 The FreeRADIUS server project
24 * @copyright 2002 Alan DeKok (aland@freeradius.org)
25 */
26
27RCSID("$Id: 62becaa5f0ec0cc740d3a21fd455609fe1068b93 $")
28
29#include <freeradius-devel/server/cf_file.h>
30#include <freeradius-devel/server/client.h>
31#include <freeradius-devel/server/dependency.h>
32#include <freeradius-devel/server/main_config.h>
33#include <freeradius-devel/server/map_proc.h>
34#include <freeradius-devel/server/modpriv.h>
35#include <freeradius-devel/server/util.h>
36#include <freeradius-devel/server/virtual_servers.h>
37
38
39#include <freeradius-devel/util/conf.h>
40#include <freeradius-devel/util/file.h>
41#include <freeradius-devel/util/hw.h>
42#include <freeradius-devel/util/perm.h>
43#include <freeradius-devel/util/sem.h>
44#include <freeradius-devel/util/pair_legacy.h>
45
46#include <freeradius-devel/unlang/xlat_func.h>
47
48
49
50#ifdef HAVE_SYSLOG_H
51# include <syslog.h>
52#endif
53
54#ifdef HAVE_FCNTL_H
55# include <fcntl.h>
56#endif
57
58main_config_t const *main_config; //!< Main server configuration.
59
60extern fr_log_t debug_log;
61
62fr_log_t debug_log = { .fd = -1, .dst = L_DST_NULL };
63
64/**********************************************************************
65 *
66 * We need to figure out where the logs go, before doing anything
67 * else. This is so that the log messages go to the correct
68 * place.
69 *
70 * BUT, we want the settings from the command line to over-ride
71 * the ones in the configuration file. So, these items are
72 * parsed ONLY if there is no "-l foo" on the command line.
73 *
74 **********************************************************************/
75
76static int reverse_lookups_parse(TALLOC_CTX *ctx, void *out, void *parent,CONF_ITEM *ci, conf_parser_t const *rule);
77static int hostname_lookups_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
78
79static int num_networks_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
80static int num_workers_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
81static int num_workers_dflt(CONF_PAIR **out, void *parent, CONF_SECTION *cs, fr_token_t quote, conf_parser_t const *rule);
82
83static int lib_dir_on_read(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
84
85static int talloc_pool_size_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
86
87static int max_request_time_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
88
89static int name_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
90
91/*
92 * Log destinations
93 */
95 { FR_CONF_OFFSET("destination", main_config_t, log_dest), .dflt = "file" },
96 { FR_CONF_OFFSET("syslog_facility", main_config_t, syslog_facility), .dflt = "daemon",
98 .uctx = &(cf_table_parse_ctx_t){
99 .table = syslog_facility_table,
101 }
102 },
103 { FR_CONF_OFFSET("local_state_dir", main_config_t, local_state_dir), .dflt = "${prefix}/var"},
104 { FR_CONF_OFFSET("logdir", main_config_t, log_dir), .dflt = "${local_state_dir}/log"},
105 { FR_CONF_OFFSET("file", main_config_t, log_file), .dflt = "${logdir}/radius.log" },
106 { FR_CONF_OFFSET("suppress_secrets", main_config_t, suppress_secrets), .dflt = "no" },
108};
109
110/*
111 * Basic configuration for the server.
112 */
114 { FR_CONF_POINTER("log", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) initial_log_config },
115
117};
118
119/*
120 * Basic configuration for the server.
121 */
123 { FR_CONF_OFFSET("prefix", main_config_t, prefix), .dflt = "/usr/local" },
124
127
128 { FR_CONF_OFFSET("libdir", main_config_t, lib_dir), .dflt = "${prefix}/lib",
130
132};
133
134/**********************************************************************
135 *
136 * Now that we've parsed the log destination, AND the security
137 * items, we can parse the rest of the configuration items.
138 *
139 **********************************************************************/
140static const conf_parser_t log_config[] = {
141 { FR_CONF_OFFSET("colourise", main_config_t, do_colourise) },
142 { FR_CONF_OFFSET("line_number", main_config_t, log_line_number) },
143 { FR_CONF_OFFSET("timestamp", main_config_t, log_timestamp) },
146};
147
148
149static const conf_parser_t resources[] = {
150 /*
151 * Don't set a default here. It's set in the code, below. This means that
152 * the config item will *not* get printed out in debug mode, so that no one knows
153 * it exists.
154 */
155 { FR_CONF_OFFSET_FLAGS("talloc_memory_report", CONF_FLAG_HIDDEN, main_config_t, talloc_memory_report) }, /* DO NOT SET DEFAULT */
157};
158
159static const conf_parser_t thread_config[] = {
160 { FR_CONF_OFFSET("num_networks", main_config_t, max_networks), .dflt = STRINGIFY(1),
162 { FR_CONF_OFFSET("num_workers", main_config_t, max_workers), .dflt = STRINGIFY(0),
163 .func = num_workers_parse, .dflt_func = num_workers_dflt },
164
165 { FR_CONF_OFFSET_TYPE_FLAGS("stats_interval", FR_TYPE_TIME_DELTA, CONF_FLAG_HIDDEN, main_config_t, stats_interval) },
166
167#ifdef WITH_TLS
168 { FR_CONF_OFFSET_TYPE_FLAGS("openssl_async_pool_init", FR_TYPE_SIZE, 0, main_config_t, openssl_async_pool_init), .dflt = "64" },
169 { FR_CONF_OFFSET_TYPE_FLAGS("openssl_async_pool_max", FR_TYPE_SIZE, 0, main_config_t, openssl_async_pool_max), .dflt = "1024" },
170#endif
171
173};
174
175/*
176 * Migration configuration.
177 */
179 { FR_CONF_OFFSET_FLAGS("rewrite_update", CONF_FLAG_HIDDEN, main_config_t, rewrite_update) },
180 { FR_CONF_OFFSET_FLAGS("forbid_update", CONF_FLAG_HIDDEN, main_config_t, forbid_update) },
181
183};
184
185#ifndef NDEBUG
186/*
187 * Migration configuration.
188 */
190 { FR_CONF_OFFSET_FLAGS("countup_instructions", CONF_FLAG_HIDDEN, main_config_t, ins_countup) },
191 { FR_CONF_OFFSET_FLAGS("max_instructions", CONF_FLAG_HIDDEN, main_config_t, ins_max) },
193};
194#endif
195
200
202 { FR_CONF_OFFSET("max", main_config_t, worker.max_requests), .dflt = "0" },
203 { FR_CONF_OFFSET("timeout", main_config_t, worker.max_request_time), .dflt = STRINGIFY(MAX_REQUEST_TIME), .func = max_request_time_parse },
204 { FR_CONF_OFFSET_TYPE_FLAGS("talloc_pool_size", FR_TYPE_SIZE, CONF_FLAG_HIDDEN, main_config_t, worker.reuse.child_pool_size), .func = talloc_pool_size_parse }, /* DO NOT SET DEFAULT */
205 { FR_CONF_OFFSET_SUBSECTION("reuse", 0, main_config_t, worker.reuse, request_reuse_config) },
207};
208
209static const conf_parser_t server_config[] = {
210 /*
211 * FIXME: 'prefix' is the ONLY one which should be
212 * configured at compile time. Hard-coding it here is
213 * bad. It will be cleaned up once we clean up the
214 * hard-coded defines for the locations of the various
215 * files.
216 */
217 { FR_CONF_OFFSET("prefix", main_config_t, prefix), .dflt = "/usr/local" },
218 { FR_CONF_OFFSET("local_state_dir", main_config_t, local_state_dir), .dflt = "${prefix}/var"},
219 { FR_CONF_OFFSET("sbin_dir", main_config_t, sbin_dir), .dflt = "${prefix}/sbin"},
220 { FR_CONF_OFFSET("logdir", main_config_t, log_dir), .dflt = "${local_state_dir}/log"},
221 { FR_CONF_OFFSET("run_dir", main_config_t, run_dir), .dflt = "${local_state_dir}/run/${name}"},
222 { FR_CONF_OFFSET("radacctdir", main_config_t, radacct_dir), .dflt = "${logdir}/radacct" },
223 { FR_CONF_OFFSET("panic_action", main_config_t, panic_action) },
224 { FR_CONF_OFFSET("reverse_lookups", main_config_t, reverse_lookups), .dflt = "no", .func = reverse_lookups_parse },
225 { FR_CONF_OFFSET("hostname_lookups", main_config_t, hostname_lookups), .dflt = "yes", .func = hostname_lookups_parse },
226 { FR_CONF_OFFSET("pidfile", main_config_t, pid_file), .dflt = "${run_dir}/radiusd.pid"},
227
228 { FR_CONF_OFFSET_FLAGS("debug_level", CONF_FLAG_HIDDEN, main_config_t, debug_level), .dflt = "0" },
229
230 { FR_CONF_POINTER("request", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) request_config },
231
232 { FR_CONF_POINTER("log", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) log_config },
233
234 { FR_CONF_POINTER("resources", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) resources },
235
236 { FR_CONF_POINTER("thread", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) thread_config, .name2 = CF_IDENT_ANY },
237
238 { FR_CONF_POINTER("migrate", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) migrate_config, .name2 = CF_IDENT_ANY },
239
240#ifndef NDEBUG
241 { FR_CONF_POINTER("interpret", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) interpret_config, .name2 = CF_IDENT_ANY },
242#endif
243
244 { FR_CONF_DEPRECATED("max_requests", main_config_t, worker.max_requests) },
245 { FR_CONF_DEPRECATED("max_request_time", main_config_t, worker.max_request_time) },
246
248};
249
250
251/**********************************************************************
252 *
253 * The next few items are here to allow for switching of users
254 * while still opening the various output files with the correct
255 * permission.
256 *
257 * It's rare (or impossible) to have parse errors for these
258 * configuration items, so we don't worry too much about that.
259 * In contrast, when we parse the rest of the configuration, we
260 * CAN get parse errors. We want THOSE parse errors to go to the
261 * log file, and we want the log file to have the correct
262 * permissions.
263 *
264 **********************************************************************/
266#ifdef HAVE_SETUID
268 { FR_CONF_OFFSET_IS_SET("group", FR_TYPE_VOID, 0, main_config_t, gid), .func = cf_parse_gid },
269#endif
270 { FR_CONF_OFFSET("allow_core_dumps", main_config_t, allow_core_dumps), .dflt = "no" },
271
272#ifdef ENABLE_OPENSSL_VERSION_CHECK
273 { FR_CONF_OFFSET("allow_vulnerable_openssl", main_config_t, allow_vulnerable_openssl), .dflt = "no" },
274#endif
275
276#ifdef WITH_TLS
277 { FR_CONF_OFFSET_IS_SET("openssl_fips_mode", FR_TYPE_BOOL, 0, main_config_t, openssl_fips_mode), .dflt = "no" },
278#endif
279
281};
282
284 { FR_CONF_POINTER("security", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) security_config },
285
286 { FR_CONF_OFFSET("name", main_config_t, name), .func = name_parse }, /* DO NOT SET DEFAULT */
287
288 { FR_CONF_OFFSET("prefix", main_config_t, prefix), .dflt = "/usr/local" },
289 { FR_CONF_OFFSET("local_state_dir", main_config_t, local_state_dir), .dflt = "${prefix}/var"},
290
291 { FR_CONF_OFFSET("run_dir", main_config_t, run_dir), .dflt = "${local_state_dir}/run/${name}"},
292
293 /*
294 * For backwards compatibility.
295 */
296#ifdef HAVE_SETUID
297 { FR_CONF_DEPRECATED("user", main_config_t, uid) },
298 { FR_CONF_DEPRECATED("group", main_config_t, gid) },
299#endif
300 { FR_CONF_DEPRECATED("chroot", main_config_t, NULL) },
301 { FR_CONF_DEPRECATED("allow_core_dumps", main_config_t, NULL) },
303};
304
305static int reverse_lookups_parse(TALLOC_CTX *ctx, void *out, void *parent,
306 CONF_ITEM *ci, conf_parser_t const *rule)
307{
308 int ret;
309
310 if ((ret = cf_pair_parse_value(ctx, out, parent, ci, rule)) < 0) return ret;
311
312 memcpy(&fr_reverse_lookups, out, sizeof(fr_reverse_lookups));
313
314 return 0;
315}
316
317static int hostname_lookups_parse(TALLOC_CTX *ctx, void *out, void *parent,
318 CONF_ITEM *ci, conf_parser_t const *rule)
319{
320 int ret;
321
322 if ((ret = cf_pair_parse_value(ctx, out, parent, ci, rule)) < 0) return ret;
323
325
326 return 0;
327}
328
329static int talloc_pool_size_parse(TALLOC_CTX *ctx, void *out, void *parent,
330 CONF_ITEM *ci, conf_parser_t const *rule)
331{
332 int ret;
333 size_t value;
334
335 if ((ret = cf_pair_parse_value(ctx, out, parent, ci, rule)) < 0) return ret;
336
337 memcpy(&value, out, sizeof(value));
338
339 FR_SIZE_BOUND_CHECK("request.talloc_pool_size", value, >=, (size_t)(2 * 1024));
340 FR_SIZE_BOUND_CHECK("request.talloc_pool_size", value, <=, (size_t)(1024 * 1024));
341
342 memcpy(out, &value, sizeof(value));
343
344 return 0;
345}
346
347static int max_request_time_parse(TALLOC_CTX *ctx, void *out, void *parent,
348 CONF_ITEM *ci, conf_parser_t const *rule)
349{
350 int ret;
352
353 if ((ret = cf_pair_parse_value(ctx, out, parent, ci, rule)) < 0) return ret;
354
355 memcpy(&value, out, sizeof(value));
356
357 FR_TIME_DELTA_BOUND_CHECK("request.timeout", value, >=, fr_time_delta_from_sec(5));
358 FR_TIME_DELTA_BOUND_CHECK("request.timeout", value, <=, fr_time_delta_from_sec(120));
359
360 memcpy(out, &value, sizeof(value));
361
362 return 0;
363}
364
365static int lib_dir_on_read(UNUSED TALLOC_CTX *ctx, UNUSED void *out, UNUSED void *parent,
366 CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
367{
368 CONF_PAIR *cp = cf_item_to_pair(ci);
369 char const *value;
370
371 fr_assert(main_config != NULL);
372 value = cf_pair_value(cp);
373 if (value) {
375
376 memcpy(&config, &main_config, sizeof(config)); /* const issues */
377
378 config->lib_dir = value;
379 }
380
381 /*
382 * Initialize the DL infrastructure, which is used by the
383 * config file parser. And also add in the search path.
384 */
386 cf_log_perr(ci, "Failed initializing 'lib_dir'");
387 return -1;
388 }
389
390 return 0;
391}
392
393/** Configured server name takes precedence over default values
394 *
395 */
396static int name_parse(TALLOC_CTX *ctx, void *out, void *parent,
397 CONF_ITEM *ci, conf_parser_t const *rule)
398{
400
401 if (*((char **)out)) {
402 if (config->overwrite_config_name) return 0; /* Don't change */
403
404 talloc_free(*((char **)out)); /* Free existing buffer */
405 }
406
407 return cf_pair_parse_value(ctx, out, parent, ci, rule); /* Set new value */
408}
409
410static int num_networks_parse(TALLOC_CTX *ctx, void *out, void *parent,
411 CONF_ITEM *ci, conf_parser_t const *rule)
412{
413 int ret;
415
416 if ((ret = cf_pair_parse_value(ctx, out, parent, ci, rule)) < 0) return ret;
417
418 memcpy(&value, out, sizeof(value));
419
420 FR_INTEGER_BOUND_CHECK("thread.num_networks", value, ==, 1);
421
422 memcpy(out, &value, sizeof(value));
423
424 return 0;
425}
426
427static inline CC_HINT(always_inline)
429{
431
433 if (value == 0) {
434 cf_log_pwarn(parent, "Failed retrieving core count, defaulting to 1 worker");
435 value = 1;
436 }
437
438 /*
439 * If we've got more than four times
440 * the number of cores as we have
441 * networks, then set the number of
442 * workers to the number of cores
443 * minus networks.
444 *
445 * This ensures at a least a 4:1
446 * ratio of workers to networks,
447 * which seems like a sensible ratio.
448 */
449 else if (value > (conf->max_networks * 4)) {
450 value -= conf->max_networks;
451 }
452
453 return value;
454}
455
456static int num_workers_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
457{
458 int ret;
461
462 if ((ret = cf_pair_parse_value(ctx, out, parent, ci, rule)) < 0) return ret;
463
464 memcpy(&value, out, sizeof(value));
465
466 if (value == 0) value = num_workers_auto(conf, ci);
467
468 /*
469 * If no value is specified, try and
470 * discover it automatically.
471 */
472 FR_INTEGER_BOUND_CHECK("thread.num_workers", value, >=, 1);
473 FR_INTEGER_BOUND_CHECK("thread.num_workers", value, <=, 128);
474
475 memcpy(out, &value, sizeof(value));
476
477 return 0;
478}
479
480static int num_workers_dflt(CONF_PAIR **out, void *parent, CONF_SECTION *cs, fr_token_t quote, conf_parser_t const *rule)
481{
482 char *strvalue;
485
487 strvalue = talloc_asprintf(NULL, "%u", value);
488 *out = cf_pair_alloc(cs, rule->name1, strvalue, T_OP_EQ, T_BARE_WORD, quote);
489 talloc_free(strvalue);
490
491 /*
492 * Otherwise just create as many
493 * workers as we have cores.
494 */
495 cf_log_info(cs, "Dynamically determined thread.workers = %u", value);
496
497 return 0;
498}
499
500static int xlat_config_escape(UNUSED request_t *request, fr_value_box_t *vb, UNUSED void *uctx)
501{
502 static char const disallowed[] = "%{}\\'\"`";
503 size_t outmax = vb->vb_length * 3;
504 size_t outlen = 0;
505 char escaped[outmax + 1];
506 char const *in, *end;
507 char *out = escaped;
508
509 fr_assert(vb->type == FR_TYPE_STRING);
510 in = vb->vb_strvalue;
511 end = in + vb->vb_length;
512
513 do {
514 /*
515 * Non-printable characters get replaced with their
516 * mime-encoded equivalents.
517 */
518 if ((in[0] < 32)) {
519 snprintf(out, outlen, "=%02X", (unsigned char) in[0]);
520 out += 3;
521 outlen += 3;
522 continue;
523 }
524 if (strchr(disallowed, *in) != NULL) {
525 out[0] = '\\';
526 out[1] = *in;
527 out += 2;
528 outlen += 2;
529 continue;
530 }
531 /*
532 * Allowed character.
533 */
534 *out = *in;
535 out++;
536 outlen++;
537 } while (++in < end);
538 *out = '\0';
539
540 /*
541 * If the output length is greater than the input length
542 * something has been escaped - replace the original string
543 */
544 if (outlen > vb->vb_length) {
545 char *outbuff;
546 if (fr_value_box_bstr_realloc(vb, &outbuff, vb, outlen) < 0) return -1;
547 memcpy(outbuff, escaped, outlen);
548 }
549
550 return 0;
551
552}
553
555 { .required = true, .concat = true, .type = FR_TYPE_STRING, .always_escape = true, .func = xlat_config_escape },
557};
558
559/** xlat to get config values
560 *
561@verbatim
562%config(section.subsection.attribute)
563@endverbatim
564 *
565 * @ingroup xlat_functions
566 */
567static xlat_action_t xlat_config(TALLOC_CTX *ctx, fr_dcursor_t *out,
568 UNUSED xlat_ctx_t const *xctx,
569 request_t *request, fr_value_box_list_t *in)
570{
571 char const *value;
572 CONF_PAIR *cp;
573 CONF_ITEM *ci;
574 fr_value_box_t *in_head = fr_value_box_list_head(in);
575 fr_value_box_t *vb;
576
577 ci = cf_reference_item(main_config->root_cs, main_config->root_cs, in_head->vb_strvalue);
578 if (!ci || !cf_item_is_pair(ci)) {
579 RPEDEBUG("Failed finding configuration item '%s'", in_head->vb_strvalue);
580 return XLAT_ACTION_FAIL;
581 }
582
583 cp = cf_item_to_pair(ci);
584
585 value = cf_pair_value(cp);
586 if (!value) return XLAT_ACTION_DONE;
587
588 MEM(vb = fr_value_box_alloc_null(ctx));
589 fr_value_box_bstrndup(vb, vb, NULL, value, strlen(value), false);
591
592 return XLAT_ACTION_DONE;
593}
594
595#ifdef HAVE_SETUID
596static int mkdir_chown(int fd, char const *path, void *uctx)
597{
598 main_config_t *config = uctx;
599 int ret = 0;
600
601 if ((config->server_uid != (uid_t)-1) || (config->server_gid != (gid_t)-1)) {
602 rad_suid_up();
603 ret = fchown(fd, config->server_uid, config->server_gid);
604 if (ret < 0) fr_strerror_printf("Failed changing ownership on directory \"%s\": %s",
605 path, fr_syserror(errno));
607 }
608
609 return ret;
610}
611/*
612 * Switch UID and GID to what is specified in the config file
613 */
614static int switch_users(main_config_t *config, CONF_SECTION *cs)
615{
616 bool do_suid = false;
617 bool do_sgid = false;
618
619 /*
620 * Get the current maximum for core files. Do this
621 * before anything else so as to ensure it's properly
622 * initialized.
623 */
624 if (fr_set_dumpable_init() < 0) {
625 fr_perror("%s", config->name);
626 return -1;
627 }
628
630 fprintf(stderr, "%s: Error: Failed pushing parse rules for user/group information.\n",
631 config->name);
632 return -1;
633 }
634
635 DEBUG("Parsing security rules to bootstrap UID / GID / etc.");
636 if (cf_section_parse(config, config, cs) < 0) {
637 fprintf(stderr, "%s: Error: Failed to parse user/group information.\n",
638 config->name);
639 return -1;
640 }
641
642 /*
643 * Don't do setuid/setgid if we're in debugging
644 * as non-root.
645 */
646 if (DEBUG_ENABLED && (getuid() != 0)) {
647 WARN("Ignoring configured UID / GID as we're running in debug mode");
648 return 0;
649 }
650#ifdef HAVE_GRP_H
651 /*
652 * Get the correct GID for the server.
653 */
654 config->server_gid = getgid();
655 if (config->gid_is_set && (config->server_gid != config->gid)) {
656 config->server_gid = config->gid;
657 do_sgid = true;
658 }
659#endif
660
661 /*
662 * Get the correct UID for the server.
663 */
664 config->server_uid = getuid();
665 if (config->uid_is_set && (config->server_uid != config->uid)) {
666 /*
667 * We're not the correct user. Go set that.
668 */
669 config->server_uid = config->uid;
670 do_suid = true;
671
672#ifdef HAVE_INITGROUPS
673 {
674 struct passwd *user;
675
676 if (fr_perm_getpwuid(config, &user, config->uid) < 0) {
677 fprintf(stderr, "%s: Failed resolving UID %i: %s\n",
678 config->name, (int)config->uid, fr_syserror(errno));
679 return -1;
680 }
681
682 if (initgroups(user->pw_name, config->server_gid) < 0) {
683 fprintf(stderr, "%s: Cannot initialize supplementary group list "
684 "for user %s: %s\n",
685 config->name, user->pw_name, fr_syserror(errno));
686 talloc_free(user);
687 return -1;
688 }
689
690 talloc_free(user);
691 }
692#endif
693 }
694
695 /*
696 * Set the user/group we're going to use
697 * to check read permissions on configuration files.
698 */
699 cf_file_check_user(config->server_uid ? config->server_uid : (uid_t)-1,
700 config->server_gid ? config->server_gid : (gid_t)-1);
701
702#ifdef HAVE_GRP_H
703 /*
704 * Set the GID. Don't bother checking it.
705 */
706 if (do_sgid) {
707 if (setgid(config->server_gid) < 0) {
708 struct group *group;
709
710 if (fr_perm_getgrgid(config, &group, config->gid) < 0) {
711 fprintf(stderr, "%s: Failed resolving GID %i: %s\n",
712 config->name, (int)config->gid, fr_syserror(errno));
713 return -1;
714 }
715
716 fprintf(stderr, "%s: Failed setting group to %s: %s",
717 config->name, group->gr_name, fr_syserror(errno));
718 return -1;
719 }
720 }
721#endif
722
723 /*
724 * The directories for PID files and logs must exist. We
725 * need to create them if we're told to write files to
726 * those directories.
727 *
728 * Because this creation is new in 3.0.9, it's a soft
729 * fail.
730 *
731 */
732 if (config->write_pid) {
733 /*
734 * Control sockets may be accessible by users
735 * other than the freeradius user, so we need
736 * to allow 'other' to traverse the run
737 * directory.
738 *
739 * The freeradius user should be the only one
740 * allowed to write to this directory however.
741 */
742 if (fr_mkdir(NULL, config->run_dir, -1, 0755, mkdir_chown, config) < 0) {
743 WARN("Failed creating run_dir %s: %s", config->run_dir, fr_syserror(errno));
744 }
745 }
746
747 if ((default_log.dst == L_DST_FILES) && config->log_dir) {
748 /*
749 * Every other Linux daemon allows 'other'
750 * to traverse the log directory. That doesn't
751 * mean the actual files should be world
752 * readable.
753 */
754 if (fr_mkdir(NULL, config->log_dir, -1, 0755, mkdir_chown, config) < 0) {
755 WARN("Failed creating log_dir %s: %s", config->log_dir, fr_syserror(errno));
756 }
757 }
758
759 /*
760 * If we don't already have a log file open, open one
761 * now. We may not have been logging anything yet. The
762 * server normally starts up fairly quietly.
763 */
764 if ((default_log.dst == L_DST_FILES) &&
765 (default_log.fd < 0)) {
766 default_log.fd = open(config->log_file,
767 O_WRONLY | O_APPEND | O_CREAT, 0640);
768 if (default_log.fd < 0) {
769 fprintf(stderr, "%s: Failed to open log file %s: %s\n",
770 config->name, config->log_file, fr_syserror(errno));
771 return -1;
772 }
773 }
774
775 /*
776 * If we need to change UID, ensure that the log files
777 * have the correct owner && group.
778 *
779 * We have to do this because some log files MAY already
780 * have been written as root. We need to change them to
781 * have the correct ownership before proceeding.
782 */
783 if ((do_suid || do_sgid) &&
785 if (fchown(default_log.fd, config->server_uid, config->server_gid) < 0) {
786 fprintf(stderr, "%s: Cannot change ownership of log file %s: %s\n",
787 config->name, config->log_file, fr_syserror(errno));
788 return -1;
789 }
790 }
791
792 /*
793 * Once we're done with all of the privileged work,
794 * permanently change the UID.
795 */
796 if (do_suid) {
797 rad_suid_set_down_uid(config->server_uid);
799 }
800
801 return 0;
802}
803#endif /* HAVE_SETUID */
804
805
806/** Set the server name
807 *
808 * @note Will only add pair if one does not already exist
809 *
810 * @param[in] config to alter.
811 * @param[in] name to set e.g. "radiusd".
812 * @param[in] overwrite_config replace any CONF_PAIRs with this value.
813 */
814void main_config_name_set_default(main_config_t *config, char const *name, bool overwrite_config)
815{
816 if (config->name) {
817 char *p;
818
819 memcpy(&p, &config->name, sizeof(p));
820 talloc_free(p);
821 config->name = NULL;
822 }
824
825 config->overwrite_config_name = overwrite_config;
826}
827
828/** Set the global radius config directory.
829 *
830 * @param[in] config to alter.
831 * @param[in] name to set as dir root e.g. /usr/local/etc/raddb.
832 */
834{
835 if (config->raddb_dir) {
836 talloc_const_free(config->raddb_dir);
837 config->raddb_dir = NULL;
838 }
839 if (name) config->raddb_dir = talloc_typed_strdup(config, name);
840}
841
842/** Clean up the semaphore when the main config is freed
843 *
844 * This helps with permissions issues if the user is switching between
845 * running the process under something like systemd and running it under
846 * debug mode.
847 */
849#ifndef HAVE_SEMAPHORES
850 UNUSED
851#endif
852 main_config_t const *config)
853{
854#ifdef HAVE_SEMAPHORES
855 if (config->multi_proc_sem_id >= 0) fr_sem_close(config->multi_proc_sem_id, NULL);
856#endif
857}
858
859/** Increment the semaphore in the child process so that it's not released when the parent exits
860 *
861 * @param[in] config specifying the path to the main config file.
862 * @return
863 * - 0 on success.
864 * - -1 on failure.
865 */
867#ifndef HAVE_SEMAPHORES
868 UNUSED
869#endif
870 main_config_t const *config)
871{
872#ifdef HAVE_SEMAPHORES
873 return fr_sem_take(config->multi_proc_sem_id, config->multi_proc_sem_path, true);
874#else
875 return 0;
876#endif
877}
878
879/** Check to see if we're the only process using this configuration file (or PID file if specified)
880 *
881 * @param[in] config specifying the path to the main config file.
882 * @return
883 * - 1 if another process is running with this config file
884 * - 0 if no other process is running with this config file.
885 * - -1 on error.
886 */
888{
889 char *path;
890
891#ifdef HAVE_SEMAPHORES
892 int sem_id;
893#endif
894
895 int ret = 0;
896 FILE *fp = NULL;
897 static bool sem_initd;
898
899 if (unlikely(sem_initd)) return 0;
900
901 if (config->write_pid) {
902 fr_assert(config->pid_file);
903 fp = fopen(config->pid_file, "w");
904 if (!fp) {
905 fr_strerror_printf("Refusing to start - Failed creating PID file at \"%s\" - %s",
906 config->pid_file, fr_syserror(errno));
907 return -1;
908 }
909 MEM(path = talloc_typed_strdup(config, config->pid_file));
910 } else {
911 MEM(path = talloc_asprintf(config, "%s/%s.conf", config->raddb_dir, config->name));
912 }
913
914#ifdef HAVE_SEMAPHORES
915 sem_id = fr_sem_get(path, 0,
916 main_config->uid_is_set ? main_config->uid : geteuid(),
917 main_config->gid_is_set ? main_config->gid : getegid(),
918 true, false);
919 if (sem_id < 0) {
920 talloc_free(path);
921 ret = -1;
922 goto done;
923 }
924
925 config->multi_proc_sem_id = -1;
926
927 ret = fr_sem_wait(sem_id, path, true, true);
928 switch (ret) {
929 case 0: /* we have the semaphore */
930 talloc_free(config->multi_proc_sem_path); /* Allow this to be called multiple times */
931 config->multi_proc_sem_id = sem_id;
932 config->multi_proc_sem_path = path;
933 sem_initd = true;
934 break;
935
936 case 1: /* another process has the semaphore */
937 {
938 pid_t pid;
939
940 fr_sem_pid(&pid, sem_id);
941 fr_strerror_printf("Refusing to start - PID %u already running with \"%s\"", pid, path);
942 talloc_free(path);
943 }
944 break;
945
946 default:
947 talloc_free(path);
948 break;
949 }
950done:
951#endif
952 if (fp != NULL) fclose(fp);
953
954 return ret;
955}
956
957/** Set the global dictionary directory.
958 *
959 * @param[in] config to alter.
960 * @param[in] name to set as dict dir root e.g. /usr/local/share/freeradius.
961 */
963{
964 if (config->dict_dir) {
965 talloc_const_free(config->dict_dir);
966 config->dict_dir = NULL;
967 }
968 if (name) config->dict_dir = talloc_typed_strdup(config, name);
969}
970
971/** Allocate a main_config_t struct, setting defaults
972 *
973 */
975{
977
978 config = talloc_zero(ctx, main_config_t);
979 if (!config) {
980 fr_strerror_const("Failed allocating main config");
981 return NULL;
982 }
983
984 /*
985 * Set the defaults from compile time arguments
986 * these can be overridden later on the command line.
987 */
990
992
993 return config;
994}
995
996static int _dlhandle_free(void **dl_handle)
997{
998 dlclose(*dl_handle);
999 return 0;
1000}
1001
1002/*
1003 * Read config files.
1004 *
1005 * This function can ONLY be called from the main server process.
1006 */
1008{
1009 char const *p = NULL;
1010 CONF_SECTION *cs = NULL, *subcs;
1011 struct stat statbuf;
1012 bool can_colourise = false;
1013 char buffer[1024];
1014 xlat_t *xlat;
1015
1016 /*
1017 * Initialize the xlats before we load the configuration files,
1018 * so that we can later call xlat_func_register().
1019 */
1021
1022 if (stat(config->raddb_dir, &statbuf) < 0) {
1023 ERROR("Error checking raddb_dir \"%s\": %s", config->raddb_dir, fr_syserror(errno));
1024 return -1;
1025 }
1026
1027#ifdef S_IWOTH
1028 if ((statbuf.st_mode & S_IWOTH) != 0) {
1029 ERROR("Configuration directory %s is globally writable. "
1030 "Refusing to start due to insecure configuration", config->raddb_dir);
1031 return -1;
1032 }
1033#endif
1034
1035#if 0 && defined(S_IROTH)
1036 if (statbuf.st_mode & S_IROTH != 0) {
1037 ERROR("Configuration directory %s is globally readable. "
1038 "Refusing to start due to insecure configuration", config->raddb_dir);
1039 return -1;
1040 }
1041#endif
1042 INFO("Starting - reading configuration files ...");
1043
1044 cs = cf_section_alloc(NULL, NULL, "main", NULL);
1045 if (!cs) return -1;
1046
1047 /*
1048 * Add a 'feature' subsection off the main config
1049 * We check if it's defined first, as the user may
1050 * have defined their own feature flags, or want
1051 * to manually override the ones set by modules
1052 * or the server.
1053 */
1054 subcs = cf_section_find(cs, "feature", NULL);
1055 if (!subcs) {
1056 subcs = cf_section_alloc(cs, cs, "feature", NULL);
1057 if (!subcs) {
1058 failure:
1059 fr_dict_free(&config->dict, __FILE__);
1060 talloc_free(cs);
1061 return -1;
1062 }
1063 }
1065
1067 PERROR("Failed reading internal dictionaries");
1068 goto failure;
1069 }
1070
1071 /*
1072 * Special-case things. If the output is a TTY, AND
1073 * we're debugging, colourise things. This flag also
1074 * removes the "Debug : " prefix from the log messages.
1075 */
1076 p = getenv("TERM");
1077 if (p && isatty(default_log.fd) && strstr(p, "xterm") && fr_debug_lvl) {
1078 can_colourise = default_log.colourise = true;
1079 } else {
1080 can_colourise = default_log.colourise = false;
1081 }
1082 default_log.line_number = config->log_line_number;
1083
1084 /*
1085 * Add a 'version' subsection off the main config
1086 * We check if it's defined first, this is for
1087 * backwards compatibility.
1088 */
1089 subcs = cf_section_find(cs, "version", NULL);
1090 if (!subcs) {
1091 subcs = cf_section_alloc(cs, cs, "version", NULL);
1092 if (!subcs) goto failure;
1093 }
1095
1096 /*
1097 * @todo - not quite done yet... these dictionaries have
1098 * to be loaded from raddb_dir. But the
1099 * fr_dict_autoload_t has a base_dir pointer
1100 * there... it's probably best to pass raddb_dir into
1101 * fr_dict_autoload() and have it use that instead.
1102 *
1103 * Once that's done, the proto_foo dictionaries SHOULD be
1104 * autoloaded, AND loaded before the configuration files
1105 * are read.
1106 *
1107 * And then all of the modules have to be updated to use
1108 * their local dict pointer, instead of NULL.
1109 */
1110 if (cf_section_rules_push(cs, lib_dir_on_read_config) < 0) goto failure;
1111 if (cf_section_rules_push(cs, virtual_servers_on_read_config) < 0) goto failure;
1112
1113 /*
1114 * Track the status of the configuration.
1115 */
1117
1118 /* Read the configuration file */
1119 snprintf(buffer, sizeof(buffer), "%.200s/%.50s.conf", config->raddb_dir, config->name);
1120 if (cf_file_read(cs, buffer) < 0) {
1121 ERROR("Error reading or parsing %s", buffer);
1122 goto failure;
1123 }
1124
1125 /*
1126 * Do any fixups here that might be used in references
1127 */
1128 if (config->name) {
1129 CONF_PAIR *cp;
1130
1131 cp = cf_pair_find(cs, "name");
1132 if (cp){
1133 if (config->overwrite_config_name && (cf_pair_replace(cs, cp, config->name) < 0)) {
1134 ERROR("Failed adding/replacing \"name\" config item");
1135 goto failure;
1136 }
1137 } else {
1139 }
1140 }
1141
1142 if (cf_section_pass2(cs) < 0) goto failure;
1143
1144 /*
1145 * Parse environment variables first.
1146 */
1147 subcs = cf_section_find(cs, "ENV", NULL);
1148 if (subcs) {
1149 char const *attr, *value;
1150 CONF_PAIR *cp;
1151 CONF_ITEM *ci;
1152
1153 for (ci = cf_item_next(subcs, NULL);
1154 ci != NULL;
1155 ci = cf_item_next(subcs, ci)) {
1156 if (cf_item_is_data(ci)) continue;
1157
1158 if (!cf_item_is_pair(ci)) {
1159 cf_log_err(ci, "Unexpected item in ENV section");
1160 goto failure;
1161 }
1162
1163 cp = cf_item_to_pair(ci);
1164 if (cf_pair_operator(cp) != T_OP_EQ) {
1165 cf_log_err(ci, "Invalid operator for item in ENV section");
1166 goto failure;
1167 }
1168
1169 attr = cf_pair_attr(cp);
1170 value = cf_pair_value(cp);
1171 if (!value) {
1172 if (unsetenv(attr) < 0) {
1173 cf_log_err(ci, "Failed deleting environment variable %s: %s",
1174 attr, fr_syserror(errno));
1175 goto failure;
1176 }
1177 } else {
1178 void *handle;
1179 void **handle_p;
1180
1181 if (setenv(attr, value, 1) < 0) {
1182 cf_log_err(ci, "Failed setting environment variable %s: %s",
1183 attr, fr_syserror(errno));
1184 goto failure;
1185 }
1186
1187 /*
1188 * Hacks for LD_PRELOAD.
1189 */
1190 if (strcmp(attr, "LD_PRELOAD") != 0) continue;
1191
1192 handle = dlopen(value, RTLD_NOW | RTLD_GLOBAL);
1193 if (!handle) {
1194 cf_log_err(ci, "Failed loading library %s: %s", value, dlerror());
1195 goto failure;
1196 }
1197
1198 /*
1199 * Wrap the pointer, so we can set a destructor.
1200 */
1201 MEM(handle_p = talloc(NULL, void *));
1202 *handle_p = handle;
1203 talloc_set_destructor(handle_p, _dlhandle_free);
1204 (void) cf_data_add(subcs, handle_p, value, true);
1205 }
1206 } /* loop over pairs in ENV */
1207 } /* there's an ENV subsection */
1208
1209 /*
1210 * Parse log section of main config.
1211 */
1213 fprintf(stderr, "%s: Error: Failed pushing rules for log {} section.\n",
1214 config->name);
1215 goto failure;
1216 }
1217
1218 DEBUG("Parsing initial logging configuration.");
1219 if (cf_section_parse(config, config, cs) < 0) {
1220 fprintf(stderr, "%s: Error: Failed to parse log{} section.\n",
1221 config->name);
1222 goto failure;
1223 }
1224
1225 /*
1226 * If there was no log destination set on the command line,
1227 * set it now.
1228 */
1229 if (default_log.dst == L_DST_NULL) {
1230 if (!config->log_dest) {
1231 fprintf(stderr, "%s: Error: No log destination specified.\n",
1232 config->name);
1233 goto failure;
1234 }
1235
1237
1238 switch (default_log.dst) {
1239 case L_DST_NUM_DEST:
1240 fprintf(stderr, "%s: Error: Unknown log_destination %s\n",
1241 config->name, config->log_dest);
1242 goto failure;
1243
1244#ifdef HAVE_SYSLOG_H
1245 case L_DST_SYSLOG:
1246 /*
1247 * Call openlog only once, when the
1248 * program starts.
1249 */
1250 openlog(config->name, LOG_PID, config->syslog_facility);
1251 break;
1252#endif
1253
1254 case L_DST_FILES:
1255 if (!config->log_file) {
1256 fprintf(stderr, "%s: Error: Specified \"files\" as a log destination, but no log filename was given!\n",
1257 config->name);
1258 goto failure;
1259 }
1260 default_log.file = config->log_file;
1261 break;
1262
1263 default:
1264 break;
1265 }
1266 }
1267
1268 /*
1269 * Only set timestamp logging from the config file if no value was
1270 * specified on the command line.
1271 */
1272 if (config->log_timestamp_is_set && (default_log.timestamp == L_TIMESTAMP_AUTO)) {
1274 }
1275
1276#ifdef HAVE_SETUID
1277 /*
1278 * Switch users as early as possible.
1279 */
1280 if (switch_users(config, cs) < 0) goto failure;
1281#endif
1282
1283 /*
1284 * This also clears the dumpable flag if core dumps
1285 * aren't allowed.
1286 */
1287 if (fr_set_dumpable(config->allow_core_dumps) < 0) PERROR("Failed enabling core dumps");
1288 if (config->allow_core_dumps) INFO("Core dumps are enabled");
1289
1290 /*
1291 * This allows us to figure out where, relative to
1292 * radiusd.conf, the other configuration files exist.
1293 */
1294 if (cf_section_rules_push(cs, server_config) < 0) goto failure;
1295 if (cf_section_rules_push(cs, virtual_servers_config) < 0) goto failure;
1296
1297 DEBUG("Parsing main configuration");
1298 if (cf_section_parse(config, config, cs) < 0) goto failure;
1299
1300 /*
1301 * Reset the colourisation state. The configuration
1302 * files can disable colourisation if the terminal
1303 * supports it. The configuration files *cannot* enable
1304 * colourisation if the terminal window doesn't support
1305 * it.
1306 */
1307 if (can_colourise && !config->do_colourise) {
1308 default_log.colourise = false;
1309 }
1310
1311 /*
1312 * Starting the server, WITHOUT "-x" on the
1313 * command-line: use whatever is in the config
1314 * file.
1315 */
1316 if (fr_debug_lvl == 0) fr_debug_lvl = config->debug_level;
1317
1318 INFO("Switching to configured log settings");
1319
1320 /*
1321 * Free the old configuration items, and replace them
1322 * with the new ones.
1323 *
1324 * Note that where possible, we do atomic switch-overs,
1325 * to ensure that the pointers are always valid.
1326 */
1327 fr_assert(config->root_cs == NULL);
1328
1329 /*
1330 * Redirect stderr/stdout as appropriate.
1331 */
1332 if (log_global_init(&default_log, config->daemonize) < 0) {
1333 cf_log_err(cs, "Failed initializing logging");
1334 goto failure;
1335 }
1336
1337 /*
1338 * Load different logging destinations.
1339 */
1340 for (subcs = cf_section_find_next(cs, NULL, "log", CF_IDENT_ANY);
1341 subcs != NULL;
1342 subcs = cf_section_find_next(cs, subcs, "log", CF_IDENT_ANY)) {
1343 if (!cf_section_name2(subcs)) continue;
1344
1345 if (log_parse_section(subcs) < 0) {
1346 cf_log_err(subcs, "Failed parsing log section: %s", fr_strerror());
1347 goto failure;
1348 }
1349 }
1350
1351 DEBUG2("%s: #### Loading Clients ####", config->name);
1352 if (!client_list_parse_section(cs, 0, false)) goto failure;
1353
1354 /*
1355 * Register the %config(section.subsection) xlat function.
1356 */
1357 if (unlikely((xlat = xlat_func_register(NULL, "config", xlat_config, FR_TYPE_STRING)) == NULL)) goto failure;
1360
1361 config->root_cs = cs; /* Do this last to avoid dangling pointers on error */
1362
1363 /* Clear any unprocessed configuration errors */
1365
1366 return 0;
1367}
1368
1369/*
1370 * Free the configuration. Called only when the server is exiting.
1371 */
1373{
1374 /*
1375 * Frees request specific logging resources which is OK
1376 * because all the requests will have been stopped.
1377 */
1379
1380 /*
1381 * Clean up the configuration data
1382 * structures.
1383 */
1385
1386 /*
1387 * Frees current config and any previous configs.
1388 */
1389 TALLOC_FREE((*config)->root_cs);
1390 fr_dict_free(&(*config)->dict, __FILE__);
1391 TALLOC_FREE(*config);
1392
1393 return 0;
1394}
1395
1397{
1398 int fd, old_fd;
1399
1400 if (default_log.dst != L_DST_FILES) return;
1401
1402 fd = open(config->log_file, O_WRONLY | O_APPEND | O_CREAT, 0640);
1403 if (fd >= 0) {
1404 /*
1405 * Atomic swap. We'd like to keep the old
1406 * FD around so that callers don't
1407 * suddenly find the FD closed, and the
1408 * writes go nowhere. But that's hard to
1409 * do. So... we have the case where a
1410 * log message *might* be lost on HUP.
1411 */
1412 old_fd = default_log.fd;
1413 default_log.fd = fd;
1414 close(old_fd);
1415 }
1416}
1417
1419{
1420 fr_time_t when;
1421
1422 static fr_time_t last_hup = fr_time_wrap(0);
1423
1424 /*
1425 * Re-open the log file. If we can't, then keep logging
1426 * to the old log file.
1427 *
1428 * The "open log file" code is here rather than in log.c,
1429 * because it makes that function MUCH simpler.
1430 */
1432
1433 /*
1434 * Only check the config files every few seconds.
1435 */
1436 when = fr_time();
1437 if (fr_time_gteq(fr_time_add(last_hup, fr_time_delta_from_sec(2)), when)) {
1438 INFO("HUP - Last HUP was too recent. Ignoring");
1439 return;
1440 }
1441 last_hup = when;
1442
1443 INFO("HUP - NYI in version 4"); /* Not yet implemented in v4 */
1444}
1445
1447 { L("rewrite_update"), offsetof(main_config_t, rewrite_update) },
1448 { L("forbid_update"), offsetof(main_config_t, forbid_update) },
1449};
1451
1452/*
1453 * Migration function that allows for command-line over-ride of
1454 * data structures which need to be initialized before the
1455 * configuration files are loaded.
1456 *
1457 * This should really only be temporary, until we get rid of flat vs nested.
1458 */
1460{
1461 fr_value_box_t box;
1462 size_t offset;
1463 char const *p;
1464 bool *out;
1465
1466 p = strchr(value, '=');
1467 if (!p) return -1;
1468
1470 if (offset) {
1471 out = (bool *) (((uintptr_t) main_config) + offset);
1472
1473 } else {
1474 return -1;
1475 }
1476
1477 p += 1;
1478
1479 fr_value_box_init(&box, FR_TYPE_BOOL, NULL, false);
1480 if (fr_value_box_from_str(NULL, &box, FR_TYPE_BOOL, NULL,
1481 p, strlen(p), NULL) < 0) {
1482 fr_perror("Invalid boolean \"%s\"", p);
1483 fr_exit(1);
1484 }
1485
1486 *out = box.vb_bool;
1487
1488 return 0;
1489}
1490
1491/*
1492 * Allow other pieces of the code to examine the migration options.
1493 */
1495{
1496 size_t offset;
1497
1498 if (!main_config) return false;
1499
1500 offset = fr_table_value_by_substr(config_arg_table, name, strlen(name), 0);
1501 if (!offset) return false;
1502
1503 return *(bool *) (((uintptr_t) main_config) + offset);
1504}
static int const char char buffer[256]
Definition acutest.h:576
#define RCSID(id)
Definition build.h:485
#define L(_str)
Helper for initialising arrays of string literals.
Definition build.h:209
#define STRINGIFY(x)
Definition build.h:197
#define unlikely(_x)
Definition build.h:383
#define UNUSED
Definition build.h:317
#define NUM_ELEMENTS(_t)
Definition build.h:339
void cf_md5_init(void)
Definition cf_file.c:2891
int cf_file_read(CONF_SECTION *cs, char const *filename)
Definition cf_file.c:3234
int cf_section_pass2(CONF_SECTION *cs)
Definition cf_file.c:767
CONF_ITEM * cf_reference_item(CONF_SECTION const *parent_cs, CONF_SECTION const *outer_cs, char const *ptr)
Definition cf_file.c:3430
void cf_file_check_user(uid_t uid, gid_t gid)
Set the euid/egid used when performing file checks.
Definition cf_file.c:3308
int cf_section_parse(TALLOC_CTX *ctx, void *base, CONF_SECTION *cs)
Parse a configuration section into user-supplied variables.
Definition cf_parse.c:1154
int cf_table_parse_int(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
Generic function for parsing conf pair values as int.
Definition cf_parse.c:1592
int cf_pair_parse_value(TALLOC_CTX *ctx, void *out, UNUSED void *base, CONF_ITEM *ci, conf_parser_t const *rule)
Parses a CONF_PAIR into a C data type.
Definition cf_parse.c:173
int cf_parse_gid(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
Generic function for resolving GID strings to uid_t values.
Definition cf_parse.c:1659
int cf_parse_uid(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
Generic function for resolving UID strings to uid_t values.
Definition cf_parse.c:1644
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:658
cf_parse_t func
Override default parsing behaviour for the specified type with a custom parsing function.
Definition cf_parse.h:612
#define FR_CONF_DEPRECATED(_name, _struct, _field)
conf_parser_t entry which raises an error if a matching CONF_PAIR is found
Definition cf_parse.h:414
#define FR_INTEGER_BOUND_CHECK(_name, _var, _op, _bound)
Definition cf_parse.h:518
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:284
#define FR_SIZE_BOUND_CHECK(_name, _var, _op, _bound)
Definition cf_parse.h:508
#define cf_section_rules_push(_cs, _rule)
Definition cf_parse.h:690
#define FR_CONF_POINTER(_name, _type, _flags, _res_p)
conf_parser_t which parses a single CONF_PAIR producing a single global result
Definition cf_parse.h:339
char const * name1
Name of the CONF_ITEM to parse.
Definition cf_parse.h:596
#define FR_CONF_OFFSET_IS_SET(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct,...
Definition cf_parse.h:298
#define FR_CONF_OFFSET_FLAGS(_name, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:272
cf_parse_t on_read
Function to call as the item is being read, just after it has been allocated and initialized.
Definition cf_parse.h:615
#define FR_CONF_OFFSET_SUBSECTION(_name, _flags, _struct, _field, _subcs)
conf_parser_t which populates a sub-struct using a CONF_SECTION
Definition cf_parse.h:313
#define FR_TIME_DELTA_BOUND_CHECK(_name, _var, _op, _bound)
Definition cf_parse.h:529
@ CONF_FLAG_SUBSECTION
Instead of putting the information into a configuration structure, the configuration file routines MA...
Definition cf_parse.h:428
@ CONF_FLAG_HIDDEN
Used by scripts to omit items from the generated documentation.
Definition cf_parse.h:457
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:241
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:595
Common header for all CONF_* types.
Definition cf_priv.h:49
Configuration AVP similar to a fr_pair_t.
Definition cf_priv.h:70
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
bool cf_item_is_pair(CONF_ITEM const *ci)
Determine if CONF_ITEM is a CONF_PAIR.
Definition cf_util.c:631
char const * cf_section_name2(CONF_SECTION const *cs)
Return the second identifier of a CONF_SECTION.
Definition cf_util.c:1184
CONF_ITEM * cf_section_to_item(CONF_SECTION const *cs)
Cast a CONF_SECTION to a CONF_ITEM.
Definition cf_util.c:737
CONF_PAIR * cf_pair_alloc(CONF_SECTION *parent, char const *attr, char const *value, fr_token_t op, fr_token_t lhs_quote, fr_token_t rhs_quote)
Allocate a CONF_PAIR.
Definition cf_util.c:1278
CONF_SECTION * cf_section_find(CONF_SECTION const *cs, char const *name1, char const *name2)
Find a CONF_SECTION with name1 and optionally name2.
Definition cf_util.c:1027
CONF_PAIR * cf_pair_find(CONF_SECTION const *cs, char const *attr)
Search for a CONF_PAIR with a specific name.
Definition cf_util.c:1438
bool cf_item_is_data(CONF_ITEM const *ci)
Determine if CONF_ITEM is CONF_DATA.
Definition cf_util.c:645
fr_token_t cf_pair_operator(CONF_PAIR const *pair)
Return the operator of a pair.
Definition cf_util.c:1607
CONF_PAIR * cf_item_to_pair(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_PAIR.
Definition cf_util.c:663
CONF_SECTION * cf_section_find_next(CONF_SECTION const *cs, CONF_SECTION const *prev, char const *name1, char const *name2)
Return the next matching section.
Definition cf_util.c:1048
char const * cf_pair_value(CONF_PAIR const *pair)
Return the value of a CONF_PAIR.
Definition cf_util.c:1593
int cf_pair_replace(CONF_SECTION *cs, CONF_PAIR *cp, char const *value)
Replace pair in a given section with a new pair, of the given value.
Definition cf_util.c:1349
char const * cf_pair_attr(CONF_PAIR const *pair)
Return the attr of a CONF_PAIR.
Definition cf_util.c:1577
#define cf_log_err(_cf, _fmt,...)
Definition cf_util.h:289
#define cf_data_add(_cf, _data, _name, _free)
Definition cf_util.h:255
#define cf_log_info(_cf, _fmt,...)
Definition cf_util.h:291
#define cf_item_next(_parent, _curr)
Definition cf_util.h:92
#define cf_log_perr(_cf, _fmt,...)
Definition cf_util.h:296
#define cf_log_pwarn(_cf, _fmt,...)
Definition cf_util.h:297
#define cf_section_alloc(_ctx, _parent, _name1, _name2)
Definition cf_util.h:140
#define CF_IDENT_ANY
Definition cf_util.h:78
static int fr_dcursor_append(fr_dcursor_t *cursor, void *v)
Insert a single item at the end of the list.
Definition dcursor.h:408
static char panic_action[512]
The command to execute when panicking.
Definition debug.c:96
int fr_set_dumpable(bool allow_core_dumps)
Enable or disable core dumps.
Definition debug.c:822
int fr_set_dumpable_init(void)
Get the current maximum for core files.
Definition debug.c:807
#define fr_exit(_x)
Exit, producing a log message in debug builds.
Definition debug.h:228
#define MEM(x)
Definition debug.h:36
void dependency_features_init(CONF_SECTION *cs)
Initialise core feature flags.
Definition dependency.c:183
void dependency_version_numbers_init(CONF_SECTION *cs)
Initialise core version flags.
Definition dependency.c:341
#define ERROR(fmt,...)
Definition dhcpclient.c:41
#define DEBUG(fmt,...)
Definition dhcpclient.c:39
int fr_dict_internal_afrom_file(fr_dict_t **out, char const *internal_name, char const *dependent)
(Re-)Initialize the special internal dictionary
int fr_dict_free(fr_dict_t **dict, char const *dependent)
Decrement the reference count on a previously loaded dictionary.
Definition dict_util.c:4068
static fr_slen_t in
Definition dict.h:840
Test enumeration values.
Definition dict_test.h:92
#define RTLD_NOW
Definition dl.c:44
dl_module_loader_t * dl_module_loader_init(char const *lib_dir)
Initialise structures needed by the dynamic linker.
Definition dl_module.c:529
ssize_t fr_mkdir(int *fd_out, char const *path, ssize_t len, mode_t mode, fr_mkdir_func_t func, void *uctx)
Create directories that are missing in the specified path.
Definition file.c:219
uint32_t fr_hw_num_cores_active(void)
Definition hw.c:121
bool fr_hostname_lookups
hostname -> IP lookups?
Definition inet.c:53
bool fr_reverse_lookups
IP -> hostname lookups?
Definition inet.c:52
static bool log_timestamp
Definition log.c:1092
fr_table_num_sorted_t const log_destination_table[]
Definition log.c:186
int log_global_init(fr_log_t *log, bool daemonize)
Initialises the server logging functionality, and the underlying libfreeradius log.
Definition log.c:1265
int log_parse_section(CONF_SECTION *cs)
Parse a named logging section.
Definition log.c:1130
size_t syslog_facility_table_len
Definition log.c:143
fr_table_num_sorted_t const syslog_facility_table[]
Syslog facility table.
Definition log.c:66
void log_global_free(void)
Definition log.c:1301
#define PERROR(_fmt,...)
Definition log.h:228
#define DEBUG_ENABLED
True if global debug level 1 messages are enabled.
Definition log.h:257
#define RPEDEBUG(fmt,...)
Definition log.h:376
void rad_suid_up(void)
Definition util.c:881
void rad_suid_down(void)
Definition util.c:885
void rad_suid_set_down_uid(uid_t uid)
Definition util.c:877
talloc_free(reap)
int fr_debug_lvl
Definition log.c:40
fr_log_t default_log
Definition log.c:292
bool log_dates_utc
Definition log.c:290
@ L_DST_NULL
Discard log messages.
Definition log.h:83
@ L_DST_FILES
Log to a file on disk.
Definition log.h:79
@ L_DST_NUM_DEST
Definition log.h:84
@ L_DST_SYSLOG
Log to syslog.
Definition log.h:80
@ L_TIMESTAMP_ON
Always log timestamps.
Definition log.h:90
@ L_TIMESTAMP_OFF
Never log timestamps.
Definition log.h:91
@ L_TIMESTAMP_AUTO
Timestamp logging preference not specified.
Definition log.h:88
static const conf_parser_t log_config[]
static const conf_parser_t resources[]
int main_config_parse_option(char const *value)
fr_log_t debug_log
Definition main_config.c:62
static size_t config_arg_table_len
int main_config_free(main_config_t **config)
main_config_t * main_config_alloc(TALLOC_CTX *ctx)
Allocate a main_config_t struct, setting defaults.
static int xlat_config_escape(UNUSED request_t *request, fr_value_box_t *vb, UNUSED void *uctx)
void main_config_raddb_dir_set(main_config_t *config, char const *name)
Set the global radius config directory.
void main_config_exclusive_proc_done(UNUSED main_config_t const *config)
Clean up the semaphore when the main config is freed.
void main_config_hup(main_config_t *config)
static const conf_parser_t thread_config[]
int main_config_exclusive_proc(main_config_t *config)
Check to see if we're the only process using this configuration file (or PID file if specified)
static int lib_dir_on_read(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
static int num_workers_dflt(CONF_PAIR **out, void *parent, CONF_SECTION *cs, fr_token_t quote, conf_parser_t const *rule)
void main_config_name_set_default(main_config_t *config, char const *name, bool overwrite_config)
Set the server name.
static int reverse_lookups_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
static const conf_parser_t switch_users_config[]
static const conf_parser_t server_config[]
static int _dlhandle_free(void **dl_handle)
void hup_logfile(main_config_t *config)
static xlat_arg_parser_t const xlat_config_args[]
static const conf_parser_t security_config[]
static uint32_t num_workers_auto(main_config_t *conf, CONF_ITEM *parent)
static const conf_parser_t initial_log_config[]
Definition main_config.c:94
static fr_table_num_ordered_t config_arg_table[]
static const conf_parser_t request_config[]
static int max_request_time_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
static int num_networks_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
static const conf_parser_t migrate_config[]
int main_config_init(main_config_t *config)
static const conf_parser_t initial_server_config[]
static int hostname_lookups_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
static int name_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
Configured server name takes precedence over default values.
main_config_t const * main_config
Main server configuration.
Definition main_config.c:58
static const conf_parser_t lib_dir_on_read_config[]
static const conf_parser_t request_reuse_config[]
int main_config_exclusive_proc_child(UNUSED main_config_t const *config)
Increment the semaphore in the child process so that it's not released when the parent exits.
static const conf_parser_t interpret_config[]
static int talloc_pool_size_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
static int num_workers_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
bool main_config_migrate_option_get(char const *name)
void main_config_dict_dir_set(main_config_t *config, char const *name)
Set the global dictionary directory.
#define MAX_REQUEST_TIME
Default maximum request time.
Definition main_config.h:35
char const * lib_dir
Definition main_config.h:73
CONF_SECTION * root_cs
Root of the server config.
Definition main_config.h:55
Main server configuration.
Definition main_config.h:51
@ FR_TYPE_TIME_DELTA
A period of time measured in nanoseconds.
@ FR_TYPE_STRING
String of printable characters.
@ FR_TYPE_VOID
User data.
@ FR_TYPE_BOOL
A truth value.
@ FR_TYPE_SIZE
Unsigned integer capable of representing any memory address on the local system.
unsigned int uint32_t
int fr_perm_getgrgid(TALLOC_CTX *ctx, struct group **out, gid_t gid)
Resolve a gid to a group database entry.
Definition perm.c:329
int fr_perm_getpwuid(TALLOC_CTX *ctx, struct passwd **out, uid_t uid)
Resolve a uid to a passwd entry.
Definition perm.c:203
static const conf_parser_t config[]
Definition base.c:183
#define fr_assert(_expr)
Definition rad_assert.h:38
static bool done
Definition radclient.c:81
#define DEBUG2(fmt,...)
Definition radclient.h:43
#define WARN(fmt,...)
Definition radclient.h:47
#define INFO(fmt,...)
Definition radict.c:54
static rs_t * conf
Definition radsniff.c:53
static char const * name
static const conf_parser_t xlat_config[]
Definition rlm_rest.c:154
int fr_sem_wait(int sem_id, char const *file, bool undo_on_exit, bool nonblock)
Wait for a semaphore to reach 0, then increment it by 1.
Definition sem.c:252
int fr_sem_close(int sem_id, char const *file)
Remove the semaphore, this helps with permissions issues.
Definition sem.c:329
int fr_sem_pid(pid_t *pid, int sem_id)
Return the PID of the process that last operated on the semaphore.
Definition sem.c:53
int fr_sem_get(char const *file, int proj_id, uid_t uid, gid_t gid, bool check_perm, bool must_exist)
Returns a semid for the semaphore associated with the file.
Definition sem.c:421
int fr_sem_take(int sem_id, char const *file, bool undo_on_exit)
Increment the semaphore by 1.
Definition sem.c:221
#define HAVE_SEMAPHORES
Definition sem.h:32
#define FR_SLAB_CONFIG_CONF_PARSER
conf_parser_t entries to populate user configurable slab values
Definition slab.h:35
PUBLIC int snprintf(char *string, size_t length, char *format, va_alist)
Definition snprintf.c:689
void client_list_free(void)
Definition client.c:84
fr_client_list_t * client_list_parse_section(CONF_SECTION *section, int proto, TLS_UNUSED bool tls_required)
Definition client.c:469
#define fr_time()
Allow us to arbitrarily manipulate time.
Definition state_test.c:8
Definition log.h:96
bool colourise
Prefix log messages with VT100 escape codes to change text colour.
Definition log.h:101
fr_log_dst_t dst
Log destination.
Definition log.h:97
bool line_number
Log src file and line number.
Definition log.h:99
int fd
File descriptor to write messages to.
Definition log.h:112
fr_log_timestamp_t timestamp
Prefix log messages with timestamps.
Definition log.h:110
char const * file
Path to log file.
Definition log.h:113
char const * fr_syserror(int num)
Guaranteed to be thread-safe version of strerror.
Definition syserror.c:243
#define fr_table_value_by_str(_table, _name, _def)
Convert a string to a value using a sorted or ordered table.
Definition table.h:653
#define fr_table_value_by_substr(_table, _name, _name_len, _def)
Convert a partial string to a value using an ordered or sorted table.
Definition table.h:693
An element in an arbitrarily ordered array of name to num mappings.
Definition table.h:57
char * talloc_typed_strdup(TALLOC_CTX *ctx, char const *p)
Call talloc_strdup, setting the type on the new chunk correctly.
Definition talloc.c:467
static int talloc_const_free(void const *ptr)
Free const'd memory.
Definition talloc.h:229
#define fr_time_gteq(_a, _b)
Definition time.h:238
static fr_time_delta_t fr_time_delta_from_sec(int64_t sec)
Definition time.h:590
#define fr_time_wrap(_time)
Definition time.h:145
#define fr_time_add(_a, _b)
Add a time/time delta together.
Definition time.h:196
A time delta, a difference in time measured in nanoseconds.
Definition time.h:80
"server local" time.
Definition time.h:69
enum fr_token fr_token_t
@ T_BARE_WORD
Definition token.h:120
@ T_OP_EQ
Definition token.h:83
@ T_DOUBLE_QUOTED_STRING
Definition token.h:121
close(uq->fd)
uint8_t required
Argument must be present, and non-empty.
Definition xlat.h:145
#define XLAT_ARG_PARSER_TERMINATOR
Definition xlat.h:169
xlat_action_t
Definition xlat.h:37
@ XLAT_ACTION_FAIL
An xlat function failed.
Definition xlat.h:44
@ XLAT_ACTION_DONE
We're done evaluating this level of nesting.
Definition xlat.h:43
Definition for a single argument consumend by an xlat function.
Definition xlat.h:144
#define FR_DICTIONARY_INTERNAL_DIR
Definition conf.h:8
static fr_slen_t parent
Definition pair.h:845
char const * fr_strerror(void)
Get the last library error.
Definition strerror.c:553
void fr_perror(char const *fmt,...)
Print the current error to stderr with a prefix.
Definition strerror.c:732
void fr_strerror_clear(void)
Clears all pending messages from the talloc pools.
Definition strerror.c:576
#define fr_strerror_printf(_fmt,...)
Log to thread local error buffer.
Definition strerror.h:64
#define fr_strerror_const(_msg)
Definition strerror.h:223
ssize_t fr_value_box_from_str(TALLOC_CTX *ctx, fr_value_box_t *dst, fr_type_t dst_type, fr_dict_attr_t const *dst_enumv, char const *in, size_t inlen, fr_sbuff_unescape_rules_t const *erules)
Definition value.c:5459
int fr_value_box_bstr_realloc(TALLOC_CTX *ctx, char **out, fr_value_box_t *dst, size_t len)
Change the length of a buffer already allocated to a value box.
Definition value.c:4335
int fr_value_box_bstrndup(TALLOC_CTX *ctx, fr_value_box_t *dst, fr_dict_attr_t const *enumv, char const *src, size_t len, bool tainted)
Copy a string to to a fr_value_box_t.
Definition value.c:4379
#define fr_value_box_alloc_null(_ctx)
Allocate a value box for later use with a value assignment function.
Definition value.h:651
#define fr_value_box_init(_vb, _type, _enumv, _tainted)
Initialise a fr_value_box_t.
Definition value.h:606
static size_t char ** out
Definition value.h:1020
const conf_parser_t virtual_servers_on_read_config[]
const conf_parser_t virtual_servers_config[]
An xlat calling ctx.
Definition xlat_ctx.h:49
void xlat_func_flags_set(xlat_t *x, xlat_func_flags_t flags)
Specify flags that alter the xlat's behaviour.
Definition xlat_func.c:399
int xlat_func_args_set(xlat_t *x, xlat_arg_parser_t const args[])
Register the arguments of an xlat.
Definition xlat_func.c:363
xlat_t * xlat_func_register(TALLOC_CTX *ctx, char const *name, xlat_func_t func, fr_type_t return_type)
Register an xlat function.
Definition xlat_func.c:216
int xlat_func_init(void)
Definition xlat_func.c:547
@ XLAT_FUNC_FLAG_PURE
Definition xlat_func.h:38