The FreeRADIUS server $Id: f3670dba8951ca10eb4948feb3dc3db9423a334f $
Loading...
Searching...
No Matches
main_config.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 5c1b205a0b0ade7d96c90775929e25ea74bfb9d9 $
19 *
20 * @brief Handle the main server's (radiusd) configuration.
21 * @file src/lib/server/main_config.c
22 *
23 * @copyright 2002,2006-2007 The FreeRADIUS server project
24 * @copyright 2002 Alan DeKok (aland@freeradius.org)
25 */
26
27RCSID("$Id: 5c1b205a0b0ade7d96c90775929e25ea74bfb9d9 $")
28
29#include <freeradius-devel/server/cf_file.h>
30#include <freeradius-devel/server/client.h>
31#include <freeradius-devel/server/dependency.h>
32#include <freeradius-devel/server/main_config.h>
33#include <freeradius-devel/server/map_proc.h>
34#include <freeradius-devel/server/modpriv.h>
35#include <freeradius-devel/server/util.h>
36#include <freeradius-devel/server/virtual_servers.h>
37
38
39#include <freeradius-devel/util/conf.h>
40#include <freeradius-devel/util/file.h>
41#include <freeradius-devel/util/hw.h>
42#include <freeradius-devel/util/perm.h>
43#include <freeradius-devel/util/sem.h>
44#include <freeradius-devel/util/pair_legacy.h>
45
46#include <freeradius-devel/unlang/xlat_func.h>
47
48#ifdef HAVE_SYSLOG_H
49# include <syslog.h>
50#endif
51
52#ifdef HAVE_FCNTL_H
53# include <fcntl.h>
54#endif
55
56main_config_t const *main_config; //!< Main server configuration.
57
58extern fr_log_t debug_log;
59
60fr_log_t debug_log = { .fd = -1, .dst = L_DST_NULL };
61
62/*
63 * Configuration file overrides
64 */
65FR_DLIST_TYPES(fr_override_list)
66typedef FR_DLIST_HEAD(fr_override_list) fr_override_list_t;
67FR_DLIST_TYPEDEFS(fr_override_list, fr_override_list_t, fr_override_entry_t)
68
69static fr_override_list_t override;
70
71typedef struct {
72 char *name; //!< must not be 'const'
73 char *value;
74 FR_DLIST_ENTRY(fr_override_list) entry;
76
77FR_DLIST_FUNCS(fr_override_list, fr_override_t, entry)
78
79#define fr_override_list_foreach(_list_head, _iter) \
80 for (fr_override_t *JOIN(_next,_iter), *_iter = fr_override_list_head(_list_head); JOIN(_next,_iter) = fr_override_list_next(_list_head, _iter), _iter != NULL; _iter = JOIN(_next,_iter))
81
82
83/**********************************************************************
84 *
85 * We need to figure out where the logs go, before doing anything
86 * else. This is so that the log messages go to the correct
87 * place.
88 *
89 * BUT, we want the settings from the command line to over-ride
90 * the ones in the configuration file. So, these items are
91 * parsed ONLY if there is no "-l foo" on the command line.
92 *
93 **********************************************************************/
94
95static int reverse_lookups_parse(TALLOC_CTX *ctx, void *out, void *parent,CONF_ITEM *ci, conf_parser_t const *rule);
96static int hostname_lookups_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
97
98static int num_networks_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
99static int num_workers_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
100static int num_workers_dflt(CONF_PAIR **out, void *parent, CONF_SECTION *cs, fr_token_t quote, conf_parser_t const *rule);
101
102static int lib_dir_on_read(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
103
104static int talloc_pool_size_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
105
106static int max_request_time_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
107
108static int name_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
109
110/*
111 * Log destinations
112 */
114 { FR_CONF_OFFSET("destination", main_config_t, log_dest), .dflt = "file" },
115 { FR_CONF_OFFSET("syslog_facility", main_config_t, syslog_facility), .dflt = "daemon",
117 .uctx = &(cf_table_parse_ctx_t){
118 .table = syslog_facility_table,
120 }
121 },
122 { FR_CONF_OFFSET("local_state_dir", main_config_t, local_state_dir), .dflt = "${prefix}/var"},
123 { FR_CONF_OFFSET("logdir", main_config_t, log_dir), .dflt = "${local_state_dir}/log"},
124 { FR_CONF_OFFSET("file", main_config_t, log_file), .dflt = "${logdir}/radius.log" },
125 { FR_CONF_OFFSET("suppress_secrets", main_config_t, suppress_secrets), .dflt = "yes" },
129};
130
131/*
132 * Basic configuration for the server.
133 */
135 { FR_CONF_POINTER("log", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) initial_log_config },
136
138};
139
140/*
141 * Basic configuration for the server.
142 */
144 { FR_CONF_OFFSET("prefix", main_config_t, prefix), .dflt = "/usr/local" },
145
148
149 { FR_CONF_OFFSET("libdir", main_config_t, lib_dir), .dflt = "${prefix}/lib",
151
153};
154
155/**********************************************************************
156 *
157 * Now that we've parsed the log destination, AND the security
158 * items, we can parse the rest of the configuration items.
159 *
160 **********************************************************************/
161static const conf_parser_t log_config[] = {
162 { FR_CONF_OFFSET("colourise", main_config_t, do_colourise) },
163 { FR_CONF_OFFSET("line_number", main_config_t, log_line_number) },
167};
168
169
170static const conf_parser_t resources[] = {
171 /*
172 * Don't set defaults here. They're set in the command line. This means
173 * that the config item will *not* get printed out in debug mode, so that no one knows it exists.
174 */
175 { FR_CONF_OFFSET_FLAGS("talloc_memory_report", CONF_FLAG_HIDDEN, main_config_t, talloc_memory_report) }, /* DO NOT SET DEFAULT */
176 { FR_CONF_OFFSET_FLAGS("talloc_skip_cleanup", CONF_FLAG_HIDDEN, main_config_t, talloc_skip_cleanup) }, /* DO NOT SET DEFAULT */
178};
179
180static const conf_parser_t thread_config[] = {
181 { FR_CONF_OFFSET("num_networks", main_config_t, max_networks), .dflt = STRINGIFY(1),
183 { FR_CONF_OFFSET("num_workers", main_config_t, max_workers), .dflt = STRINGIFY(0),
184 .func = num_workers_parse, .dflt_func = num_workers_dflt },
185
186 { FR_CONF_OFFSET_TYPE_FLAGS("stats_interval", FR_TYPE_TIME_DELTA, CONF_FLAG_HIDDEN, main_config_t, stats_interval) },
187
188#ifdef WITH_TLS
189 { FR_CONF_OFFSET_TYPE_FLAGS("openssl_async_pool_init", FR_TYPE_SIZE, 0, main_config_t, openssl_async_pool_init), .dflt = "64" },
190 { FR_CONF_OFFSET_TYPE_FLAGS("openssl_async_pool_max", FR_TYPE_SIZE, 0, main_config_t, openssl_async_pool_max), .dflt = "1024" },
191#endif
192
194};
195
196/*
197 * Migration configuration.
198 */
202
203#ifndef NDEBUG
204/*
205 * Migration configuration.
206 */
208 { FR_CONF_OFFSET_FLAGS("countup_instructions", CONF_FLAG_HIDDEN, main_config_t, ins_countup) },
209 { FR_CONF_OFFSET_FLAGS("max_instructions", CONF_FLAG_HIDDEN, main_config_t, ins_max) },
211};
212#endif
213
218
220 { FR_CONF_OFFSET("max", main_config_t, worker.max_requests), .dflt = "0" },
221 { FR_CONF_OFFSET("timeout", main_config_t, worker.max_request_time), .dflt = STRINGIFY(MAX_REQUEST_TIME), .func = max_request_time_parse },
222 { FR_CONF_OFFSET_TYPE_FLAGS("talloc_pool_size", FR_TYPE_SIZE, CONF_FLAG_HIDDEN, main_config_t, worker.reuse.child_pool_size), .func = talloc_pool_size_parse }, /* DO NOT SET DEFAULT */
223 { FR_CONF_OFFSET_SUBSECTION("reuse", 0, main_config_t, worker.reuse, request_reuse_config) },
225};
226
227static const conf_parser_t server_config[] = {
228 /*
229 * FIXME: 'prefix' is the ONLY one which should be
230 * configured at compile time. Hard-coding it here is
231 * bad. It will be cleaned up once we clean up the
232 * hard-coded defines for the locations of the various
233 * files.
234 */
235 { FR_CONF_OFFSET("prefix", main_config_t, prefix), .dflt = "/usr/local" },
236 { FR_CONF_OFFSET("local_state_dir", main_config_t, local_state_dir), .dflt = "${prefix}/var"},
237 { FR_CONF_OFFSET("sbin_dir", main_config_t, sbin_dir), .dflt = "${prefix}/sbin"},
238 { FR_CONF_OFFSET("logdir", main_config_t, log_dir), .dflt = "${local_state_dir}/log"},
239 { FR_CONF_OFFSET("run_dir", main_config_t, run_dir), .dflt = "${local_state_dir}/run/${name}"},
240 { FR_CONF_OFFSET("radacctdir", main_config_t, radacct_dir), .dflt = "${logdir}/radacct" },
241 { FR_CONF_OFFSET("panic_action", main_config_t, panic_action) },
242 { FR_CONF_OFFSET("reverse_lookups", main_config_t, reverse_lookups), .dflt = "no", .func = reverse_lookups_parse },
243 { FR_CONF_OFFSET("hostname_lookups", main_config_t, hostname_lookups), .dflt = "yes", .func = hostname_lookups_parse },
244 { FR_CONF_OFFSET("pidfile", main_config_t, pid_file), .dflt = "${run_dir}/radiusd.pid"},
245
246 { FR_CONF_OFFSET_FLAGS("debug_level", CONF_FLAG_HIDDEN, main_config_t, debug_level), .dflt = "0" },
247
248 { FR_CONF_POINTER("request", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) request_config },
249
250 { FR_CONF_POINTER("log", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) log_config },
251
252 { FR_CONF_POINTER("resources", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) resources },
253
254 { FR_CONF_POINTER("thread", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) thread_config, .name2 = CF_IDENT_ANY },
255
256 { FR_CONF_POINTER("migrate", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) migrate_config, .name2 = CF_IDENT_ANY },
257
258#ifndef NDEBUG
259 { FR_CONF_POINTER("interpret", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) interpret_config, .name2 = CF_IDENT_ANY },
260#endif
261
262 { FR_CONF_DEPRECATED("max_requests", main_config_t, worker.max_requests) },
263 { FR_CONF_DEPRECATED("max_request_time", main_config_t, worker.max_request_time) },
264
266};
267
268
274
280
281
282/**********************************************************************
283 *
284 * The next few items are here to allow for switching of users
285 * while still opening the various output files with the correct
286 * permission.
287 *
288 * It's rare (or impossible) to have parse errors for these
289 * configuration items, so we don't worry too much about that.
290 * In contrast, when we parse the rest of the configuration, we
291 * CAN get parse errors. We want THOSE parse errors to go to the
292 * log file, and we want the log file to have the correct
293 * permissions.
294 *
295 **********************************************************************/
297#ifdef HAVE_SETUID
299 { FR_CONF_OFFSET_IS_SET("group", FR_TYPE_VOID, 0, main_config_t, gid), .func = cf_parse_gid },
300#endif
301 { FR_CONF_OFFSET("allow_core_dumps", main_config_t, allow_core_dumps), .dflt = "no" },
302
303#ifdef ENABLE_OPENSSL_VERSION_CHECK
304 { FR_CONF_OFFSET("allow_vulnerable_openssl", main_config_t, allow_vulnerable_openssl), .dflt = "no" },
305#endif
306
307#ifdef WITH_TLS
308 { FR_CONF_OFFSET_IS_SET("openssl_fips_mode", FR_TYPE_BOOL, 0, main_config_t, openssl_fips_mode), .dflt = "no" },
309#endif
310
311 { FR_CONF_OFFSET_IS_SET("chdir", FR_TYPE_STRING, 0, main_config_t, chdir), },
312
313 { FR_CONF_POINTER("limit", 0, CONF_FLAG_SUBSECTION | CONF_FLAG_OK_MISSING, NULL), .name2 = "files", .subcs = (void const *) limit_files_config },
314
315 { FR_CONF_POINTER("limit", 0, CONF_FLAG_SUBSECTION | CONF_FLAG_OK_MISSING, NULL), .name2 = "exec", .subcs = (void const *) limit_exec_config },
316
318};
319
321 { FR_CONF_POINTER("security", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) security_config },
322
323 { FR_CONF_OFFSET("name", main_config_t, name), .func = name_parse }, /* DO NOT SET DEFAULT */
324
325 { FR_CONF_OFFSET("prefix", main_config_t, prefix), .dflt = "/usr/local" },
326 { FR_CONF_OFFSET("local_state_dir", main_config_t, local_state_dir), .dflt = "${prefix}/var"},
327
328 { FR_CONF_OFFSET("run_dir", main_config_t, run_dir), .dflt = "${local_state_dir}/run/${name}"},
329
330 /*
331 * For backwards compatibility.
332 */
333#ifdef HAVE_SETUID
334 { FR_CONF_DEPRECATED("user", main_config_t, uid) },
335 { FR_CONF_DEPRECATED("group", main_config_t, gid) },
336#endif
337 { FR_CONF_DEPRECATED("chroot", main_config_t, NULL) },
338 { FR_CONF_DEPRECATED("allow_core_dumps", main_config_t, NULL) },
340};
341
342static int reverse_lookups_parse(TALLOC_CTX *ctx, void *out, void *parent,
343 CONF_ITEM *ci, conf_parser_t const *rule)
344{
345 int ret;
346
347 if ((ret = cf_pair_parse_value(ctx, out, parent, ci, rule)) < 0) return ret;
348
349 memcpy(&fr_reverse_lookups, out, sizeof(fr_reverse_lookups));
350
351 return 0;
352}
353
354static int hostname_lookups_parse(TALLOC_CTX *ctx, void *out, void *parent,
355 CONF_ITEM *ci, conf_parser_t const *rule)
356{
357 int ret;
358
359 if ((ret = cf_pair_parse_value(ctx, out, parent, ci, rule)) < 0) return ret;
360
362
363 return 0;
364}
365
366static int talloc_pool_size_parse(TALLOC_CTX *ctx, void *out, void *parent,
367 CONF_ITEM *ci, conf_parser_t const *rule)
368{
369 int ret;
370 size_t value;
371
372 if ((ret = cf_pair_parse_value(ctx, out, parent, ci, rule)) < 0) return ret;
373
374 memcpy(&value, out, sizeof(value));
375
376 FR_SIZE_BOUND_CHECK("request.talloc_pool_size", value, >=, (size_t)(2 * 1024));
377 FR_SIZE_BOUND_CHECK("request.talloc_pool_size", value, <=, (size_t)(1024 * 1024));
378
379 memcpy(out, &value, sizeof(value));
380
381 return 0;
382}
383
384static int max_request_time_parse(TALLOC_CTX *ctx, void *out, void *parent,
385 CONF_ITEM *ci, conf_parser_t const *rule)
386{
387 int ret;
389
390 if ((ret = cf_pair_parse_value(ctx, out, parent, ci, rule)) < 0) return ret;
391
392 memcpy(&value, out, sizeof(value));
393
394 FR_TIME_DELTA_BOUND_CHECK("request.timeout", value, >=, fr_time_delta_from_sec(5));
395 FR_TIME_DELTA_BOUND_CHECK("request.timeout", value, <=, fr_time_delta_from_sec(120));
396
397 memcpy(out, &value, sizeof(value));
398
399 return 0;
400}
401
402static int lib_dir_on_read(UNUSED TALLOC_CTX *ctx, UNUSED void *out, UNUSED void *parent,
403 CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
404{
405 CONF_PAIR *cp = cf_item_to_pair(ci);
406 char const *value;
407
408 fr_assert(main_config != NULL);
409 value = cf_pair_value(cp);
410 if (value) {
412
413 memcpy(&config, &main_config, sizeof(config)); /* const issues */
414
415 config->lib_dir = value;
416 }
417
418 /*
419 * Initialize the DL infrastructure, which is used by the
420 * config file parser. And also add in the search path.
421 */
423 cf_log_perr(ci, "Failed initializing 'lib_dir'");
424 return -1;
425 }
426
427 return 0;
428}
429
430/** Configured server name takes precedence over default values
431 *
432 */
433static int name_parse(TALLOC_CTX *ctx, void *out, void *parent,
434 CONF_ITEM *ci, conf_parser_t const *rule)
435{
437
438 if (*((char **)out)) {
439 if (config->overwrite_config_name) return 0; /* Don't change */
440
441 talloc_free(*((char **)out)); /* Free existing buffer */
442 }
443
444 return cf_pair_parse_value(ctx, out, parent, ci, rule); /* Set new value */
445}
446
447static int num_networks_parse(TALLOC_CTX *ctx, void *out, void *parent,
448 CONF_ITEM *ci, conf_parser_t const *rule)
449{
450 int ret;
452
453 if ((ret = cf_pair_parse_value(ctx, out, parent, ci, rule)) < 0) return ret;
454
455 memcpy(&value, out, sizeof(value));
456
457 FR_INTEGER_BOUND_CHECK("thread.num_networks", value, ==, 1);
458
459 memcpy(out, &value, sizeof(value));
460
461 return 0;
462}
463
464static inline CC_HINT(always_inline)
466{
468
470 if (value == 0) {
471 cf_log_pwarn(parent, "Failed retrieving core count, defaulting to 1 worker");
472 value = 1;
473 }
474
475 /*
476 * If we've got more than four times
477 * the number of cores as we have
478 * networks, then set the number of
479 * workers to the number of cores
480 * minus networks.
481 *
482 * This ensures at a least a 4:1
483 * ratio of workers to networks,
484 * which seems like a sensible ratio.
485 */
486 else if (value > (conf->max_networks * 4)) {
487 value -= conf->max_networks;
488 }
489
490 return value;
491}
492
493static int num_workers_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
494{
495 int ret;
498
499 if ((ret = cf_pair_parse_value(ctx, out, parent, ci, rule)) < 0) return ret;
500
501 memcpy(&value, out, sizeof(value));
502
503 if (value == 0) value = num_workers_auto(conf, ci);
504
505 /*
506 * If no value is specified, try and
507 * discover it automatically.
508 */
509 FR_INTEGER_BOUND_CHECK("thread.num_workers", value, >=, 1);
510 FR_INTEGER_BOUND_CHECK("thread.num_workers", value, <=, 128);
511
512 memcpy(out, &value, sizeof(value));
513
514 return 0;
515}
516
517static int num_workers_dflt(CONF_PAIR **out, void *parent, CONF_SECTION *cs, fr_token_t quote, conf_parser_t const *rule)
518{
519 char *strvalue;
522
524 strvalue = talloc_asprintf(NULL, "%u", value);
525 *out = cf_pair_alloc(cs, rule->name1, strvalue, T_OP_EQ, T_BARE_WORD, quote);
526 talloc_free(strvalue);
527
528 /*
529 * Otherwise just create as many
530 * workers as we have cores.
531 */
532 cf_log_info(cs, "Dynamically determined thread.workers = %u", value);
533
534 return 0;
535}
536
537static int xlat_config_escape(UNUSED request_t *request, fr_value_box_t *vb, UNUSED void *uctx)
538{
539 static char const disallowed[] = "%{}\\'\"`";
540 size_t outmax = vb->vb_length * 3;
541 char *escaped;
542 char const *in, *end;
543 char *out;
544
545 if (!vb->vb_length) return 0;
546
547 fr_assert(vb->type == FR_TYPE_STRING);
548
549 escaped = out = talloc_array(vb, char, outmax + 1);
550 if (!escaped) return -1;
551
552 end = escaped + outmax;
553
554 for (in = vb->vb_strvalue; in < (vb->vb_strvalue + vb->vb_length); in++) {
555 /*
556 * Non-printable characters get replaced with their
557 * mime-encoded equivalents.
558 */
559 if (in[0] < 32) {
560 snprintf(out, (size_t) (end - out), "=%02X", (unsigned char) in[0]);
561 out += 3;
562 continue;
563 }
564
565 if (strchr(disallowed, *in) != NULL) {
566 out[0] = '\\';
567 out[1] = *in;
568 out += 2;
569 continue;
570 }
571
572 /*
573 * Allowed character.
574 */
575 *out = *in;
576 out++;
577 }
578 *out = '\0';
579
580 /*
581 * No change - do nothing.
582 */
583 if ((size_t) (out - escaped) == vb->vb_length) {
584 talloc_free(escaped);
585 return 0;
586 }
587
588 /*
589 * Replace the original string.
590 */
591 (void) fr_value_box_bstrndup(vb, vb, vb->enumv, escaped, (size_t) (out - escaped), vb->tainted);
592 talloc_free(escaped);
593
594 return 0;
595
596}
597
599 { .required = true, .concat = true, .type = FR_TYPE_STRING, .always_escape = true, .func = xlat_config_escape },
601};
602
603/** xlat to get config values
604 *
605@verbatim
606%config(section.subsection.attribute)
607@endverbatim
608 *
609 * @ingroup xlat_functions
610 */
611static xlat_action_t xlat_config(TALLOC_CTX *ctx, fr_dcursor_t *out,
612 UNUSED xlat_ctx_t const *xctx,
613 request_t *request, fr_value_box_list_t *in)
614{
615 char const *value;
616 CONF_PAIR *cp;
617 CONF_ITEM *ci;
618 fr_value_box_t *in_head = fr_value_box_list_head(in);
619 fr_value_box_t *vb;
620
621 ci = cf_reference_item(main_config->root_cs, main_config->root_cs, in_head->vb_strvalue);
622 if (!ci || !cf_item_is_pair(ci)) {
623 RPEDEBUG("Failed finding configuration item '%s'", in_head->vb_strvalue);
624 return XLAT_ACTION_FAIL;
625 }
626
627 cp = cf_item_to_pair(ci);
628
629 value = cf_pair_value(cp);
630 if (!value) return XLAT_ACTION_DONE;
631
632 MEM(vb = fr_value_box_alloc_null(ctx));
633 fr_value_box_bstrndup(vb, vb, NULL, value, strlen(value), false);
635
636 return XLAT_ACTION_DONE;
637}
638
639#ifdef HAVE_SETUID
640static int mkdir_chown(int fd, char const *path, void *uctx)
641{
642 main_config_t *config = uctx;
643 int ret = 0;
644
645 if ((config->server_uid != (uid_t)-1) || (config->server_gid != (gid_t)-1)) {
646 rad_suid_up();
647 ret = fchown(fd, config->server_uid, config->server_gid);
648 if (ret < 0) fr_strerror_printf("Failed changing ownership on directory \"%s\": %s",
649 path, fr_syserror(errno));
651 }
652
653 return ret;
654}
655/*
656 * Switch UID and GID to what is specified in the config file
657 */
658static int switch_users(main_config_t *config, CONF_SECTION *cs)
659{
660 bool do_suid = false;
661 bool do_sgid = false;
662
663 /*
664 * Get the current maximum for core files. Do this
665 * before anything else so as to ensure it's properly
666 * initialized.
667 */
668 if (fr_set_dumpable_init() < 0) {
669 fr_perror("%s", config->name);
670 return -1;
671 }
672
674 fprintf(stderr, "%s: Error: Failed pushing parse rules for user/group information.\n",
675 config->name);
676 return -1;
677 }
678
679 DEBUG("Parsing security rules to bootstrap UID / GID / etc.");
680 if (cf_section_parse(config, config, cs) < 0) {
681 fprintf(stderr, "%s: Error: Failed to parse user/group information.\n",
682 config->name);
683 return -1;
684 }
685
686 /*
687 * Don't do setuid/setgid if we're in debugging
688 * as non-root.
689 */
690 if (DEBUG_ENABLED && (getuid() != 0)) {
691 WARN("Ignoring configured UID / GID as we're running in debug mode");
692 return 0;
693 }
694#ifdef HAVE_GRP_H
695 /*
696 * Get the correct GID for the server.
697 */
698 config->server_gid = getgid();
699 if (config->gid_is_set && (config->server_gid != config->gid)) {
700 config->server_gid = config->gid;
701 do_sgid = true;
702 }
703#endif
704
705 /*
706 * Get the correct UID for the server.
707 */
708 config->server_uid = getuid();
709 if (config->uid_is_set && (config->server_uid != config->uid)) {
710 /*
711 * We're not the correct user. Go set that.
712 */
713 config->server_uid = config->uid;
714 do_suid = true;
715
716#ifdef HAVE_INITGROUPS
717 {
718 struct passwd *user;
719
720 if (fr_perm_getpwuid(config, &user, config->uid) < 0) {
721 fprintf(stderr, "%s: Failed resolving UID %i: %s\n",
722 config->name, (int)config->uid, fr_syserror(errno));
723 return -1;
724 }
725
726 if (initgroups(user->pw_name, config->server_gid) < 0) {
727 fprintf(stderr, "%s: Cannot initialize supplementary group list "
728 "for user %s: %s\n",
729 config->name, user->pw_name, fr_syserror(errno));
730 talloc_free(user);
731 return -1;
732 }
733
734 talloc_free(user);
735 }
736#endif
737 }
738
739 /*
740 * Set the user/group we're going to use
741 * to check read permissions on configuration files.
742 */
743 cf_file_check_set_uid_gid(config->server_uid ? config->server_uid : (uid_t)-1,
744 config->server_gid ? config->server_gid : (gid_t)-1);
745
746#ifdef HAVE_GRP_H
747 /*
748 * Set the GID. Don't bother checking it.
749 */
750 if (do_sgid) {
751 if (setgid(config->server_gid) < 0) {
752 struct group *group;
753
754 if (fr_perm_getgrgid(config, &group, config->gid) < 0) {
755 fprintf(stderr, "%s: Failed resolving GID %i: %s\n",
756 config->name, (int)config->gid, fr_syserror(errno));
757 return -1;
758 }
759
760 fprintf(stderr, "%s: Failed setting group to %s: %s",
761 config->name, group->gr_name, fr_syserror(errno));
762 talloc_free(group);
763 return -1;
764 }
765 }
766#endif
767
768 /*
769 * The directories for PID files and logs must exist. We
770 * need to create them if we're told to write files to
771 * those directories.
772 *
773 * Because this creation is new in 3.0.9, it's a soft
774 * fail.
775 *
776 */
777 if (config->write_pid) {
778 /*
779 * Control sockets may be accessible by users
780 * other than the freeradius user, so we need
781 * to allow 'other' to traverse the run
782 * directory.
783 *
784 * The freeradius user should be the only one
785 * allowed to write to this directory however.
786 */
787 if (fr_mkdir(NULL, config->run_dir, -1, 0755, mkdir_chown, config) < 0) {
788 WARN("Failed creating run_dir %s: %s", config->run_dir, fr_syserror(errno));
789 }
790 }
791
792 if ((default_log.dst == L_DST_FILES) && config->log_dir) {
793 /*
794 * Every other Linux daemon allows 'other'
795 * to traverse the log directory. That doesn't
796 * mean the actual files should be world
797 * readable.
798 */
799 if (fr_mkdir(NULL, config->log_dir, -1, 0755, mkdir_chown, config) < 0) {
800 WARN("Failed creating log_dir %s: %s", config->log_dir, fr_syserror(errno));
801 }
802 }
803
804 /*
805 * If we don't already have a log file open, open one
806 * now. We may not have been logging anything yet. The
807 * server normally starts up fairly quietly.
808 */
809 if ((default_log.dst == L_DST_FILES) &&
810 (default_log.fd < 0)) {
811 default_log.fd = open(config->log_file,
812 O_WRONLY | O_APPEND | O_CREAT, 0640);
813 if (default_log.fd < 0) {
814 fprintf(stderr, "%s: Failed to open log file %s: %s\n",
815 config->name, config->log_file, fr_syserror(errno));
816 return -1;
817 }
818 }
819
820 /*
821 * If we need to change UID, ensure that the log files
822 * have the correct owner && group.
823 *
824 * We have to do this because some log files MAY already
825 * have been written as root. We need to change them to
826 * have the correct ownership before proceeding.
827 */
828 if ((do_suid || do_sgid) &&
830 if (fchown(default_log.fd, config->server_uid, config->server_gid) < 0) {
831 fprintf(stderr, "%s: Cannot change ownership of log file %s: %s\n",
832 config->name, config->log_file, fr_syserror(errno));
833 return -1;
834 }
835 }
836
837 /*
838 * Once we're done with all of the privileged work,
839 * permanently change the UID.
840 */
841 if (do_suid) {
842 rad_suid_set_down_uid(config->server_uid);
844 }
845
846 return 0;
847}
848#endif /* HAVE_SETUID */
849
850
851/** Set the server name
852 *
853 * @note Will only add pair if one does not already exist
854 *
855 * @param[in] config to alter.
856 * @param[in] name to set e.g. "radiusd".
857 * @param[in] overwrite_config replace any CONF_PAIRs with this value.
858 */
859void main_config_name_set_default(main_config_t *config, char const *name, bool overwrite_config)
860{
861 if (config->name) {
862 char *p;
863
864 memcpy(&p, &config->name, sizeof(p));
865 talloc_free(p);
866 config->name = NULL;
867 }
868 if (name) config->name = talloc_strdup(config, name);
869
870 config->overwrite_config_name = overwrite_config;
871}
872
873/** Set the global radius config directory.
874 *
875 * @param[in] config to alter.
876 * @param[in] name to set as main configuration directory.
877 */
879{
880 if (config->confdir) {
881 talloc_const_free(config->confdir);
882 config->confdir = NULL;
883 }
884 if (name) config->confdir = talloc_strdup(config, name);
885}
886
887/** Clean up the semaphore when the main config is freed
888 *
889 * This helps with permissions issues if the user is switching between
890 * running the process under something like systemd and running it under
891 * debug mode.
892 */
894#ifndef HAVE_SEMAPHORES
895 UNUSED
896#endif
897 main_config_t const *config)
898{
899#ifdef HAVE_SEMAPHORES
900 if (config->multi_proc_sem_id >= 0) fr_sem_close(config->multi_proc_sem_id, NULL);
901#endif
902}
903
904/** Increment the semaphore in the child process so that it's not released when the parent exits
905 *
906 * @param[in] config specifying the path to the main config file.
907 * @return
908 * - 0 on success.
909 * - -1 on failure.
910 */
912#ifndef HAVE_SEMAPHORES
913 UNUSED
914#endif
915 main_config_t const *config)
916{
917#ifdef HAVE_SEMAPHORES
918 return fr_sem_take(config->multi_proc_sem_id, config->multi_proc_sem_path, true);
919#else
920 return 0;
921#endif
922}
923
924/** Check to see if we're the only process using this configuration file (or PID file if specified)
925 *
926 * @param[in] config specifying the path to the main config file.
927 * @return
928 * - 1 if another process is running with this config file
929 * - 0 if no other process is running with this config file.
930 * - -1 on error.
931 */
933{
934 char *path;
935
936#ifdef HAVE_SEMAPHORES
937 int sem_id;
938#endif
939
940 int ret = 0;
941 FILE *fp = NULL;
942 static bool sem_initd;
943
944 if (unlikely(sem_initd)) return 0;
945
946 if (config->write_pid) {
947 fr_assert(config->pid_file);
948 fp = fopen(config->pid_file, "w");
949 if (!fp) {
950 fr_strerror_printf("Refusing to start - Failed creating PID file at \"%s\" - %s",
951 config->pid_file, fr_syserror(errno));
952 return -1;
953 }
954 MEM(path = talloc_strdup(config, config->pid_file));
955 } else {
956 MEM(path = talloc_asprintf(config, "%s/%s.conf", config->confdir, config->name));
957 }
958
959#ifdef HAVE_SEMAPHORES
960 sem_id = fr_sem_get(path, 0,
961 main_config->uid_is_set ? main_config->uid : geteuid(),
962 main_config->gid_is_set ? main_config->gid : getegid(),
963 true, false);
964 if (sem_id < 0) {
965 talloc_free(path);
966 ret = -1;
967 goto done;
968 }
969
970 config->multi_proc_sem_id = -1;
971
972 ret = fr_sem_wait(sem_id, path, true, true);
973 switch (ret) {
974 case 0: /* we have the semaphore */
975 talloc_free(config->multi_proc_sem_path); /* Allow this to be called multiple times */
976 config->multi_proc_sem_id = sem_id;
977 config->multi_proc_sem_path = path;
978 sem_initd = true;
979 break;
980
981 case 1: /* another process has the semaphore */
982 {
983 pid_t pid;
984
985 fr_sem_pid(&pid, sem_id);
986 fr_strerror_printf("Refusing to start - PID %u already running with \"%s\"", pid, path);
987 talloc_free(path);
988 }
989 break;
990
991 default:
992 talloc_free(path);
993 break;
994 }
995done:
996#endif
997 if (fp != NULL) fclose(fp);
998
999 return ret;
1000}
1001
1002/** Set the global dictionary directory.
1003 *
1004 * @param[in] config to alter.
1005 * @param[in] name to set as dict dir root e.g. /usr/local/share/freeradius.
1006 */
1008{
1009 if (config->dict_dir) {
1010 talloc_const_free(config->dict_dir);
1011 config->dict_dir = NULL;
1012 }
1013 if (name) config->dict_dir = talloc_strdup(config, name);
1014}
1015
1016/** Allocate a main_config_t struct, setting defaults
1017 *
1018 */
1020{
1022
1023 config = talloc_zero(ctx, main_config_t);
1024 if (!config) {
1025 fr_strerror_const("Failed allocating main config");
1026 return NULL;
1027 }
1028
1029 /*
1030 * Set the defaults from compile time arguments
1031 * these can be overridden later on the command line.
1032 */
1035
1037
1038 fr_override_list_init(&override);
1039
1040 return config;
1041}
1042
1043static int _dlhandle_free(void **dl_handle)
1044{
1045 dlclose(*dl_handle);
1046 return 0;
1047}
1048
1049/*
1050 * Read config files.
1051 *
1052 * This function can ONLY be called from the main server process.
1053 */
1055{
1056 char const *p = NULL;
1057 CONF_SECTION *cs = NULL, *subcs;
1058 struct stat statbuf;
1059 bool can_colourise = false;
1060 char buffer[1024];
1061 xlat_t *xlat;
1062
1063 /*
1064 * Initialize the xlats before we load the configuration files,
1065 * so that we can later call xlat_func_register().
1066 */
1068
1069 if (stat(config->confdir, &statbuf) < 0) {
1070 ERROR("Error checking confdir \"%s\": %s", config->confdir, fr_syserror(errno));
1071 return -1;
1072 }
1073
1074#ifdef S_IWOTH
1075 if ((statbuf.st_mode & S_IWOTH) != 0) {
1076 ERROR("Configuration directory %s is globally writable. "
1077 "Refusing to start due to insecure configuration", config->confdir);
1078 return -1;
1079 }
1080#endif
1081
1082#if 0 && defined(S_IROTH)
1083 if (statbuf.st_mode & S_IROTH != 0) {
1084 ERROR("Configuration directory %s is globally readable. "
1085 "Refusing to start due to insecure configuration", config->confdir);
1086 return -1;
1087 }
1088#endif
1089 INFO("Starting - reading configuration files ...");
1090
1091 cs = cf_section_alloc(NULL, NULL, "main", NULL);
1092 if (!cs) return -1;
1093
1094 /*
1095 * Add a 'feature' subsection off the main config
1096 * We check if it's defined first, as the user may
1097 * have defined their own feature flags, or want
1098 * to manually override the ones set by modules
1099 * or the server.
1100 */
1101 subcs = cf_section_find(cs, "feature", NULL);
1102 if (!subcs) {
1103 subcs = cf_section_alloc(cs, cs, "feature", NULL);
1104 if (!subcs) {
1105 failure:
1106 fr_dict_free(&config->dict, __FILE__);
1107 talloc_free(cs);
1108 return -1;
1109 }
1110 }
1112
1114 PERROR("Failed reading internal dictionaries");
1115 goto failure;
1116 }
1117
1118 /*
1119 * Special-case things. If the output is a TTY, AND
1120 * we're debugging, colourise things. This flag also
1121 * removes the "Debug : " prefix from the log messages.
1122 */
1123 p = getenv("TERM");
1124 if (p && isatty(default_log.fd) && strstr(p, "xterm") && fr_debug_lvl) {
1125 can_colourise = default_log.colourise = true;
1126 } else {
1127 can_colourise = default_log.colourise = false;
1128 }
1129 default_log.line_number = config->log_line_number;
1130
1131 /*
1132 * Add a 'version' subsection off the main config
1133 * We check if it's defined first, this is for
1134 * backwards compatibility.
1135 */
1136 subcs = cf_section_find(cs, "version", NULL);
1137 if (!subcs) {
1138 subcs = cf_section_alloc(cs, cs, "version", NULL);
1139 if (!subcs) goto failure;
1140 }
1142
1143 /*
1144 * @todo - not quite done yet... these dictionaries have
1145 * to be loaded from confdir. But the
1146 * fr_dict_autoload_t has a base_dir pointer
1147 * there... it's probably best to pass confdir into
1148 * fr_dict_autoload() and have it use that instead.
1149 *
1150 * Once that's done, the proto_foo dictionaries SHOULD be
1151 * autoloaded, AND loaded before the configuration files
1152 * are read.
1153 *
1154 * And then all of the modules have to be updated to use
1155 * their local dict pointer, instead of NULL.
1156 */
1157 if (cf_section_rules_push(cs, lib_dir_on_read_config) < 0) goto failure;
1158 if (cf_section_rules_push(cs, virtual_servers_on_read_config) < 0) goto failure;
1159
1160 /*
1161 * Track the status of the configuration.
1162 */
1164
1165 /* Read the configuration file */
1166 snprintf(buffer, sizeof(buffer), "%.200s/%.50s.conf", config->confdir, config->name);
1167 if (cf_file_read(cs, buffer, true) < 0) {
1168 ERROR("Error reading or parsing %s", buffer);
1169 goto failure;
1170 }
1171
1172 /*
1173 * Do any fixups here that might be used in references
1174 */
1175 if (config->name) {
1176 CONF_PAIR *cp;
1177
1178 cp = cf_pair_find(cs, "name");
1179 if (cp){
1180 if (config->overwrite_config_name && (cf_pair_replace(cs, cp, config->name) < 0)) {
1181 ERROR("Failed adding/replacing \"name\" config item");
1182 goto failure;
1183 }
1184 } else {
1186 }
1187 }
1188
1189 if (cf_section_pass2(cs) < 0) goto failure;
1190
1191 /*
1192 * Parse environment variables first.
1193 */
1194 subcs = cf_section_find(cs, "ENV", NULL);
1195 if (subcs) {
1196 char const *attr, *value;
1197 CONF_PAIR *cp;
1198 CONF_ITEM *ci;
1199
1200 for (ci = cf_item_next(subcs, NULL);
1201 ci != NULL;
1202 ci = cf_item_next(subcs, ci)) {
1203 if (cf_item_is_data(ci)) continue;
1204
1205 if (!cf_item_is_pair(ci)) {
1206 cf_log_err(ci, "Unexpected item in ENV section");
1207 goto failure;
1208 }
1209
1210 cp = cf_item_to_pair(ci);
1211 if (cf_pair_operator(cp) != T_OP_EQ) {
1212 cf_log_err(ci, "Invalid operator for item in ENV section");
1213 goto failure;
1214 }
1215
1216 attr = cf_pair_attr(cp);
1217 value = cf_pair_value(cp);
1218 if (!value) {
1219 if (unsetenv(attr) < 0) {
1220 cf_log_err(ci, "Failed deleting environment variable %s: %s",
1221 attr, fr_syserror(errno));
1222 goto failure;
1223 }
1224 } else {
1225 void *handle;
1226 void **handle_p;
1227
1228 if (setenv(attr, value, 1) < 0) {
1229 cf_log_err(ci, "Failed setting environment variable %s: %s",
1230 attr, fr_syserror(errno));
1231 goto failure;
1232 }
1233
1234 /*
1235 * Hacks for LD_PRELOAD.
1236 */
1237 if (strcmp(attr, "LD_PRELOAD") != 0) continue;
1238
1239 handle = dlopen(value, RTLD_NOW | RTLD_GLOBAL);
1240 if (!handle) {
1241 cf_log_err(ci, "Failed loading library %s: %s", value, dlerror());
1242 goto failure;
1243 }
1244
1245 /*
1246 * Wrap the pointer, so we can set a destructor.
1247 */
1248 MEM(handle_p = talloc(NULL, void *));
1249 *handle_p = handle;
1250 talloc_set_destructor(handle_p, _dlhandle_free);
1251 (void) cf_data_add(subcs, handle_p, value, true);
1252 }
1253 } /* loop over pairs in ENV */
1254 } /* there's an ENV subsection */
1255
1256 /*
1257 * Now that we've read the configuration files, override the values.
1258 */
1259 fr_override_list_foreach(&override, ov) {
1260 if (cf_pair_replace_or_add(cs, ov->name, ov->value) < 0) {
1261 fprintf(stderr, "%s: Error: Cannot update configuration item '%s' - %s.\n",
1262 config->name, ov->name, fr_strerror());
1263 goto failure;
1264 }
1265 }
1266
1267 /*
1268 * Parse log section of main config.
1269 */
1271 fprintf(stderr, "%s: Error: Failed pushing rules for log {} section.\n",
1272 config->name);
1273 goto failure;
1274 }
1275
1276 DEBUG("Parsing initial logging configuration.");
1277 if (cf_section_parse(config, config, cs) < 0) {
1278 fprintf(stderr, "%s: Error: Failed to parse log{} section.\n",
1279 config->name);
1280 goto failure;
1281 }
1282
1283 /*
1284 * If there was no log destination set on the command line,
1285 * set it now.
1286 */
1287 if (default_log.dst == L_DST_NULL) {
1288 if (!config->log_dest) {
1289 fprintf(stderr, "%s: Error: No log destination specified.\n",
1290 config->name);
1291 goto failure;
1292 }
1293
1295
1296 switch (default_log.dst) {
1297 case L_DST_NUM_DEST:
1298 fprintf(stderr, "%s: Error: Unknown log_destination %s\n",
1299 config->name, config->log_dest);
1300 goto failure;
1301
1302#ifdef HAVE_SYSLOG_H
1303 case L_DST_SYSLOG:
1304 /*
1305 * Call openlog only once, when the
1306 * program starts.
1307 */
1308 openlog(config->name, LOG_PID, config->syslog_facility);
1309 break;
1310#endif
1311
1312 case L_DST_FILES:
1313 if (!config->log_file) {
1314 fprintf(stderr, "%s: Error: Specified \"files\" as a log destination, but no log filename was given!\n",
1315 config->name);
1316 goto failure;
1317 }
1318 default_log.file = config->log_file;
1319 break;
1320
1321 default:
1322 break;
1323 }
1324 }
1325
1326 /*
1327 * Only set timestamp logging from the config file if no value was
1328 * specified on the command line.
1329 */
1330 if (config->log_timestamp_is_set && (default_log.timestamp == L_TIMESTAMP_AUTO)) {
1332 }
1333
1334 default_log.dates_utc = config->log_dates_utc;
1335
1336#ifdef HAVE_SETUID
1337 /*
1338 * Switch users as early as possible.
1339 */
1340 if (switch_users(config, cs) < 0) goto failure;
1341#endif
1342
1343 /*
1344 * This also clears the dumpable flag if core dumps
1345 * aren't allowed.
1346 */
1347 if (fr_set_dumpable(config->allow_core_dumps) < 0) PERROR("Failed enabling core dumps");
1348 if (config->allow_core_dumps) INFO("Core dumps are enabled");
1349
1350 /*
1351 * This allows us to figure out where, relative to
1352 * radiusd.conf, the other configuration files exist.
1353 */
1354 if (cf_section_rules_push(cs, server_config) < 0) goto failure;
1355 if (cf_section_rules_push(cs, virtual_servers_config) < 0) goto failure;
1356
1357 DEBUG("Parsing main configuration");
1358 if (cf_section_parse(config, config, cs) < 0) goto failure;
1359
1360 /*
1361 * Reset the colourisation state. The configuration
1362 * files can disable colourisation if the terminal
1363 * supports it. The configuration files *cannot* enable
1364 * colourisation if the terminal window doesn't support
1365 * it.
1366 */
1367 if (can_colourise && !config->do_colourise) {
1368 default_log.colourise = false;
1369 }
1370
1371 /*
1372 * Starting the server, WITHOUT "-x" on the
1373 * command-line: use whatever is in the config
1374 * file.
1375 */
1376 if (fr_debug_lvl == 0) fr_debug_lvl = config->debug_level;
1377
1378 INFO("Switching to configured log settings");
1379
1380 /*
1381 * Free the old configuration items, and replace them
1382 * with the new ones.
1383 *
1384 * Note that where possible, we do atomic switch-overs,
1385 * to ensure that the pointers are always valid.
1386 */
1387 fr_assert(config->root_cs == NULL);
1388
1389 /*
1390 * Redirect stderr/stdout as appropriate.
1391 */
1392 if (log_global_init(&default_log, config->daemonize) < 0) {
1393 cf_log_err(cs, "Failed initializing logging");
1394 goto failure;
1395 }
1396
1397 /*
1398 * Load different logging destinations.
1399 */
1400 for (subcs = cf_section_find_next(cs, NULL, "log", CF_IDENT_ANY);
1401 subcs != NULL;
1402 subcs = cf_section_find_next(cs, subcs, "log", CF_IDENT_ANY)) {
1403 if (!cf_section_name2(subcs)) continue;
1404
1405 if (log_parse_section(subcs) < 0) {
1406 cf_log_err(subcs, "Failed parsing log section: %s", fr_strerror());
1407 goto failure;
1408 }
1409 }
1410
1411 DEBUG2("%s: #### Loading Clients ####", config->name);
1412 if (!client_list_parse_section(cs, 0, false)) goto failure;
1413
1414 /*
1415 * Register the %config(section.subsection) xlat function.
1416 */
1417 if (unlikely((xlat = xlat_func_register(NULL, "config", xlat_config, FR_TYPE_STRING)) == NULL)) goto failure;
1420
1421 config->root_cs = cs; /* Do this last to avoid dangling pointers on error */
1422
1423 /* Clear any unprocessed configuration errors */
1425
1426 return 0;
1427}
1428
1429/*
1430 * Free the configuration. Called only when the server is exiting.
1431 */
1433{
1434 /*
1435 * Frees request specific logging resources which is OK
1436 * because all the requests will have been stopped.
1437 */
1439
1440 /*
1441 * Clean up the configuration data
1442 * structures.
1443 */
1445
1446 /*
1447 * Frees current config and any previous configs.
1448 */
1449 TALLOC_FREE((*config)->root_cs);
1450 fr_dict_free(&(*config)->dict, __FILE__);
1451 TALLOC_FREE(*config);
1452
1453 return 0;
1454}
1455
1457{
1458 int fd, old_fd;
1459
1460 if (default_log.dst != L_DST_FILES) return;
1461
1462 fd = open(config->log_file, O_WRONLY | O_APPEND | O_CREAT, 0640);
1463 if (fd >= 0) {
1464 /*
1465 * Atomic swap. We'd like to keep the old
1466 * FD around so that callers don't
1467 * suddenly find the FD closed, and the
1468 * writes go nowhere. But that's hard to
1469 * do. So... we have the case where a
1470 * log message *might* be lost on HUP.
1471 */
1472 old_fd = default_log.fd;
1473 default_log.fd = fd;
1474 close(old_fd);
1475 }
1476}
1477
1479{
1480 fr_time_t when;
1481
1482 static fr_time_t last_hup = fr_time_wrap(0);
1483
1484 /*
1485 * Re-open the log file. If we can't, then keep logging
1486 * to the old log file.
1487 *
1488 * The "open log file" code is here rather than in log.c,
1489 * because it makes that function MUCH simpler.
1490 */
1492
1493 /*
1494 * Only check the config files every few seconds.
1495 */
1496 when = fr_time();
1497 if (fr_time_gteq(fr_time_add(last_hup, fr_time_delta_from_sec(2)), when)) {
1498 INFO("HUP - Last HUP was too recent. Ignoring");
1499 return;
1500 }
1501 last_hup = when;
1502
1503 INFO("HUP - NYI in version 4"); /* Not yet implemented in v4 */
1504}
1505
1506/*
1507 * Migration function that allows for command-line over-ride of
1508 * data structures which need to be initialized before the
1509 * configuration files are loaded.
1510 *
1511 * This should really only be temporary, until we get rid of flat vs nested.
1512 */
1513int main_config_save_override(char const *str)
1514{
1515 char *p;
1516 fr_override_t *ov;
1517
1518 MEM(ov = talloc_zero(main_config, fr_override_t));
1519
1520 MEM(ov->name = talloc_strdup(ov, str));
1521
1522 p = strchr(ov->name, '=');
1523 if (!p) {
1524 talloc_free(ov);
1525 fr_strerror_const("Missing '='");
1526 return -1;
1527 }
1528
1529 *p++ = '\0';
1530 if (!*p) {
1531 talloc_free(ov);
1532 fr_strerror_const("Missing value after '='");
1533 return -1;
1534 }
1535 ov->value = p;
1536
1537 fr_override_list_insert_tail(&override, ov);
1538 return 0;
1539}
static int const char char buffer[256]
Definition acutest.h:576
#define RCSID(id)
Definition build.h:512
#define STRINGIFY(x)
Definition build.h:216
#define unlikely(_x)
Definition build.h:407
#define UNUSED
Definition build.h:336
void cf_md5_init(void)
Definition cf_file.c:3495
int cf_file_read(CONF_SECTION *cs, char const *filename, bool root)
Definition cf_file.c:3877
int cf_section_pass2(CONF_SECTION *cs)
Definition cf_file.c:1130
CONF_ITEM * cf_reference_item(CONF_SECTION const *parent_cs, CONF_SECTION const *outer_cs, char const *ptr)
Definition cf_file.c:4222
void cf_file_check_set_uid_gid(uid_t uid, gid_t gid)
Set the euid/egid used when performing file checks.
Definition cf_file.c:824
int cf_section_parse(TALLOC_CTX *ctx, void *base, CONF_SECTION *cs)
Parse a configuration section into user-supplied variables.
Definition cf_parse.c:1289
int cf_table_parse_int(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
Generic function for parsing conf pair values as int.
Definition cf_parse.c:1724
int cf_pair_parse_value(TALLOC_CTX *ctx, void *out, UNUSED void *base, CONF_ITEM *ci, conf_parser_t const *rule)
Parses a CONF_PAIR into a C data type.
Definition cf_parse.c:213
int cf_parse_gid(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
Generic function for resolving GID strings to uid_t values.
Definition cf_parse.c:1791
int cf_parse_uid(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
Generic function for resolving UID strings to uid_t values.
Definition cf_parse.c:1776
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:669
cf_parse_t func
Override default parsing behaviour for the specified type with a custom parsing function.
Definition cf_parse.h:623
#define FR_CONF_DEPRECATED(_name, _struct, _field)
conf_parser_t entry which raises an error if a matching CONF_PAIR is found
Definition cf_parse.h:409
#define FR_INTEGER_BOUND_CHECK(_name, _var, _op, _bound)
Definition cf_parse.h:529
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:280
#define FR_SIZE_BOUND_CHECK(_name, _var, _op, _bound)
Definition cf_parse.h:519
char const * name2
Second identifier for CONF_SECTION.
Definition cf_parse.h:608
#define cf_section_rules_push(_cs, _rule)
Definition cf_parse.h:701
#define FR_CONF_POINTER(_name, _type, _flags, _res_p)
conf_parser_t which parses a single CONF_PAIR producing a single global result
Definition cf_parse.h:334
char const * name1
Name of the CONF_ITEM to parse.
Definition cf_parse.h:607
#define FR_CONF_OFFSET_IS_SET(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct,...
Definition cf_parse.h:294
#define FR_CONF_OFFSET_FLAGS(_name, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:268
cf_parse_t on_read
Function to call as the item is being read, just after it has been allocated and initialized.
Definition cf_parse.h:626
#define FR_CONF_OFFSET_SUBSECTION(_name, _flags, _struct, _field, _subcs)
conf_parser_t which populates a sub-struct using a CONF_SECTION
Definition cf_parse.h:309
#define FR_TIME_DELTA_BOUND_CHECK(_name, _var, _op, _bound)
Definition cf_parse.h:540
@ CONF_FLAG_REQUIRED
Error out if no matching CONF_PAIR is found, and no dflt value is set.
Definition cf_parse.h:429
@ CONF_FLAG_MULTI
CONF_PAIR can have multiple copies.
Definition cf_parse.h:446
@ CONF_FLAG_OK_MISSING
OK if it's missing.
Definition cf_parse.h:454
@ CONF_FLAG_SUBSECTION
Instead of putting the information into a configuration structure, the configuration file routines MA...
Definition cf_parse.h:423
@ CONF_FLAG_HIDDEN
Used by scripts to omit items from the generated documentation.
Definition cf_parse.h:455
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:238
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:606
Common header for all CONF_* types.
Definition cf_priv.h:54
Configuration AVP similar to a fr_pair_t.
Definition cf_priv.h:77
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:106
int cf_pair_replace_or_add(CONF_SECTION *cs, char *ref, char const *value)
Definition cf_util.c:2592
bool cf_item_is_pair(CONF_ITEM const *ci)
Determine if CONF_ITEM is a CONF_PAIR.
Definition cf_util.c:640
char const * cf_section_name2(CONF_SECTION const *cs)
Return the second identifier of a CONF_SECTION.
Definition cf_util.c:1352
CONF_ITEM * cf_section_to_item(CONF_SECTION const *cs)
Cast a CONF_SECTION to a CONF_ITEM.
Definition cf_util.c:746
CONF_PAIR * cf_pair_alloc(CONF_SECTION *parent, char const *attr, char const *value, fr_token_t op, fr_token_t lhs_quote, fr_token_t rhs_quote)
Allocate a CONF_PAIR.
Definition cf_util.c:1434
CONF_SECTION * cf_section_find(CONF_SECTION const *cs, char const *name1, char const *name2)
Find a CONF_SECTION with name1 and optionally name2.
Definition cf_util.c:1194
CONF_PAIR * cf_pair_find(CONF_SECTION const *cs, char const *attr)
Search for a CONF_PAIR with a specific name.
Definition cf_util.c:1587
bool cf_item_is_data(CONF_ITEM const *ci)
Determine if CONF_ITEM is CONF_DATA.
Definition cf_util.c:654
fr_token_t cf_pair_operator(CONF_PAIR const *pair)
Return the operator of a pair.
Definition cf_util.c:1760
CONF_PAIR * cf_item_to_pair(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_PAIR.
Definition cf_util.c:672
CONF_SECTION * cf_section_find_next(CONF_SECTION const *cs, CONF_SECTION const *prev, char const *name1, char const *name2)
Return the next matching section.
Definition cf_util.c:1215
char const * cf_pair_value(CONF_PAIR const *pair)
Return the value of a CONF_PAIR.
Definition cf_util.c:1746
int cf_pair_replace(CONF_SECTION *cs, CONF_PAIR *cp, char const *value)
Replace pair value in a given section with the given value.
Definition cf_util.c:1508
char const * cf_pair_attr(CONF_PAIR const *pair)
Return the attr of a CONF_PAIR.
Definition cf_util.c:1730
#define cf_log_err(_cf, _fmt,...)
Definition cf_util.h:345
#define cf_data_add(_cf, _data, _name, _free)
Definition cf_util.h:311
#define cf_log_info(_cf, _fmt,...)
Definition cf_util.h:347
#define cf_item_next(_parent, _curr)
Definition cf_util.h:94
#define cf_log_perr(_cf, _fmt,...)
Definition cf_util.h:352
#define cf_log_pwarn(_cf, _fmt,...)
Definition cf_util.h:353
#define cf_section_alloc(_ctx, _parent, _name1, _name2)
Definition cf_util.h:201
#define CF_IDENT_ANY
Definition cf_util.h:80
static int fr_dcursor_append(fr_dcursor_t *cursor, void *v)
Insert a single item at the end of the list.
Definition dcursor.h:406
static char panic_action[512]
The command to execute when panicking.
Definition debug.c:66
int fr_set_dumpable(bool allow_core_dumps)
Enable or disable core dumps.
Definition debug.c:690
int fr_set_dumpable_init(void)
Get the current maximum for core files.
Definition debug.c:675
#define MEM(x)
Definition debug.h:36
void dependency_features_init(CONF_SECTION *cs)
Initialise core feature flags.
Definition dependency.c:183
void dependency_version_numbers_init(CONF_SECTION *cs)
Initialise core version flags.
Definition dependency.c:333
#define ERROR(fmt,...)
Definition dhcpclient.c:40
#define DEBUG(fmt,...)
Definition dhcpclient.c:38
int fr_dict_internal_afrom_file(fr_dict_t **out, char const *dict_subdir, char const *dependent))
(Re-)Initialize the special internal dictionary
int fr_dict_free(fr_dict_t **dict, char const *dependent)
Decrement the reference count on a previously loaded dictionary.
Definition dict_util.c:4306
static fr_slen_t in
Definition dict.h:882
Test enumeration values.
Definition dict_test.h:92
#define RTLD_NOW
Definition dl.c:44
dl_module_loader_t * dl_module_loader_init(char const *lib_dir)
Initialise structures needed by the dynamic linker.
Definition dl_module.c:524
#define FR_DLIST_TYPES(_name)
Define type specific wrapper structs for dlists.
Definition dlist.h:1111
#define FR_DLIST_ENTRY(_name)
Expands to the type name used for the entry wrapper structure.
Definition dlist.h:1097
#define FR_DLIST_FUNCS(_name, _element_type, _element_entry)
Define type specific wrapper functions for dlists.
Definition dlist.h:1134
#define FR_DLIST_HEAD(_name)
Expands to the type name used for the head wrapper structure.
Definition dlist.h:1104
#define FR_DLIST_TYPEDEFS(_name, _head, _entry)
Define friendly names for type specific dlist head and entry structures.
Definition dlist.h:1121
talloc_free(hp)
uint32_t fr_hw_num_cores_active(void)
Definition hw.c:121
bool fr_hostname_lookups
hostname -> IP lookups?
Definition inet.c:52
bool fr_reverse_lookups
IP -> hostname lookups?
Definition inet.c:51
static bool log_timestamp
Definition log.c:1102
fr_table_num_sorted_t const log_destination_table[]
Definition log.c:186
int log_global_init(fr_log_t *log, bool daemonize)
Initialises the server logging functionality, and the underlying libfreeradius log.
Definition log.c:1276
int log_parse_section(CONF_SECTION *cs)
Parse a named logging section.
Definition log.c:1141
size_t syslog_facility_table_len
Definition log.c:143
fr_table_num_sorted_t const syslog_facility_table[]
Syslog facility table.
Definition log.c:66
void log_global_free(void)
Definition log.c:1312
#define PERROR(_fmt,...)
Definition log.h:228
#define DEBUG_ENABLED
True if global debug level 1 messages are enabled.
Definition log.h:257
#define RPEDEBUG(fmt,...)
Definition log.h:388
void rad_suid_up(void)
Definition util.c:767
void rad_suid_down(void)
Definition util.c:771
void rad_suid_set_down_uid(uid_t uid)
Definition util.c:763
#define fr_time()
Definition event.c:60
ssize_t fr_mkdir(int *fd_out, char const *path, ssize_t len, mode_t mode, fr_mkdir_func_t func, void *uctx)
Create directories that are missing in the specified path.
Definition file.c:218
int fr_debug_lvl
Definition log.c:41
fr_log_t default_log
Definition log.c:306
bool log_dates_utc
Definition log.c:304
@ L_DST_NULL
Discard log messages.
Definition log.h:80
@ L_DST_FILES
Log to a file on disk.
Definition log.h:76
@ L_DST_NUM_DEST
Definition log.h:81
@ L_DST_SYSLOG
Log to syslog.
Definition log.h:77
@ L_TIMESTAMP_ON
Always log timestamps.
Definition log.h:87
@ L_TIMESTAMP_OFF
Never log timestamps.
Definition log.h:88
@ L_TIMESTAMP_AUTO
Timestamp logging preference not specified.
Definition log.h:85
static const conf_parser_t log_config[]
static const conf_parser_t resources[]
fr_log_t debug_log
Definition main_config.c:60
int main_config_save_override(char const *str)
int main_config_free(main_config_t **config)
main_config_t * main_config_alloc(TALLOC_CTX *ctx)
Allocate a main_config_t struct, setting defaults.
static int xlat_config_escape(UNUSED request_t *request, fr_value_box_t *vb, UNUSED void *uctx)
void main_config_exclusive_proc_done(UNUSED main_config_t const *config)
Clean up the semaphore when the main config is freed.
void main_config_hup(main_config_t *config)
static const conf_parser_t thread_config[]
int main_config_exclusive_proc(main_config_t *config)
Check to see if we're the only process using this configuration file (or PID file if specified)
static int lib_dir_on_read(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
static int num_workers_dflt(CONF_PAIR **out, void *parent, CONF_SECTION *cs, fr_token_t quote, conf_parser_t const *rule)
void main_config_name_set_default(main_config_t *config, char const *name, bool overwrite_config)
Set the server name.
static const conf_parser_t limit_exec_config[]
static int reverse_lookups_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
static const conf_parser_t switch_users_config[]
static const conf_parser_t server_config[]
static int _dlhandle_free(void **dl_handle)
void hup_logfile(main_config_t *config)
static xlat_arg_parser_t const xlat_config_args[]
static const conf_parser_t security_config[]
static uint32_t num_workers_auto(main_config_t *conf, CONF_ITEM *parent)
static const conf_parser_t initial_log_config[]
static const conf_parser_t request_config[]
static int max_request_time_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
static int num_networks_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
static const conf_parser_t migrate_config[]
int main_config_init(main_config_t *config)
static const conf_parser_t initial_server_config[]
static int hostname_lookups_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
void main_config_confdir_set(main_config_t *config, char const *name)
Set the global radius config directory.
static int name_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
Configured server name takes precedence over default values.
main_config_t const * main_config
Main server configuration.
Definition main_config.c:56
static const conf_parser_t lib_dir_on_read_config[]
#define fr_override_list_foreach(_list_head, _iter)
Definition main_config.c:79
static const conf_parser_t request_reuse_config[]
fr_override_t
Definition main_config.c:75
static const conf_parser_t limit_files_config[]
int main_config_exclusive_proc_child(UNUSED main_config_t const *config)
Increment the semaphore in the child process so that it's not released when the parent exits.
static const conf_parser_t interpret_config[]
static int talloc_pool_size_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
static int num_workers_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
void main_config_dict_dir_set(main_config_t *config, char const *name)
Set the global dictionary directory.
#define MAX_REQUEST_TIME
Default maximum request time.
Definition main_config.h:35
char const * lib_dir
Definition main_config.h:72
CONF_SECTION * root_cs
Root of the server config.
Definition main_config.h:55
Main server configuration.
Definition main_config.h:51
@ FR_TYPE_TIME_DELTA
A period of time measured in nanoseconds.
@ FR_TYPE_STRING
String of printable characters.
@ FR_TYPE_VOID
User data.
@ FR_TYPE_BOOL
A truth value.
@ FR_TYPE_SIZE
Unsigned integer capable of representing any memory address on the local system.
unsigned int uint32_t
int fr_perm_getgrgid(TALLOC_CTX *ctx, struct group **out, gid_t gid)
Resolve a gid to a group database entry.
Definition perm.c:331
int fr_perm_getpwuid(TALLOC_CTX *ctx, struct passwd **out, uid_t uid)
Resolve a uid to a passwd entry.
Definition perm.c:205
static const conf_parser_t config[]
Definition base.c:163
#define fr_assert(_expr)
Definition rad_assert.h:37
#define DEBUG2(fmt,...)
#define WARN(fmt,...)
static bool done
Definition radclient.c:80
#define INFO(fmt,...)
Definition radict.c:63
static rs_t * conf
Definition radsniff.c:52
static char const * name
static const conf_parser_t xlat_config[]
Definition rlm_rest.c:137
int fr_sem_wait(int sem_id, char const *file, bool undo_on_exit, bool nonblock)
Wait for a semaphore to reach 0, then increment it by 1.
Definition sem.c:251
int fr_sem_close(int sem_id, char const *file)
Remove the semaphore, this helps with permissions issues.
Definition sem.c:328
int fr_sem_pid(pid_t *pid, int sem_id)
Return the PID of the process that last operated on the semaphore.
Definition sem.c:52
int fr_sem_get(char const *file, int proj_id, uid_t uid, gid_t gid, bool check_perm, bool must_exist)
Returns a semid for the semaphore associated with the file.
Definition sem.c:420
int fr_sem_take(int sem_id, char const *file, bool undo_on_exit)
Increment the semaphore by 1.
Definition sem.c:220
#define HAVE_SEMAPHORES
Definition sem.h:32
#define FR_SLAB_CONFIG_CONF_PARSER
conf_parser_t entries to populate user configurable slab values
Definition slab.h:35
PUBLIC int snprintf(char *string, size_t length, char *format, va_alist)
Definition snprintf.c:689
void client_list_free(void)
Definition client.c:84
fr_client_list_t * client_list_parse_section(CONF_SECTION *section, int proto, TLS_UNUSED bool tls_required)
Definition client.c:475
Definition log.h:93
bool dates_utc
Whether timestamps should be UTC or local timezone.
Definition log.h:101
bool colourise
Prefix log messages with VT100 escape codes to change text colour.
Definition log.h:98
fr_log_dst_t dst
Log destination.
Definition log.h:94
bool line_number
Log src file and line number.
Definition log.h:96
int fd
File descriptor to write messages to.
Definition log.h:109
fr_log_timestamp_t timestamp
Prefix log messages with timestamps.
Definition log.h:107
char const * file
Path to log file.
Definition log.h:110
char const * fr_syserror(int num)
Guaranteed to be thread-safe version of strerror.
Definition syserror.c:243
#define fr_table_value_by_str(_table, _name, _def)
Convert a string to a value using a sorted or ordered table.
Definition table.h:685
static int talloc_const_free(void const *ptr)
Free const'd memory.
Definition talloc.h:254
#define talloc_asprintf
Definition talloc.h:151
#define talloc_strdup(_ctx, _str)
Definition talloc.h:149
#define fr_time_gteq(_a, _b)
Definition time.h:238
static fr_time_delta_t fr_time_delta_from_sec(int64_t sec)
Definition time.h:590
#define fr_time_wrap(_time)
Definition time.h:145
#define fr_time_add(_a, _b)
Add a time/time delta together.
Definition time.h:196
A time delta, a difference in time measured in nanoseconds.
Definition time.h:80
"server local" time.
Definition time.h:69
enum fr_token fr_token_t
@ T_BARE_WORD
Definition token.h:118
@ T_OP_EQ
Definition token.h:81
@ T_DOUBLE_QUOTED_STRING
Definition token.h:119
unsigned int required
Argument must be present, and non-empty.
Definition xlat.h:146
#define XLAT_ARG_PARSER_TERMINATOR
Definition xlat.h:170
xlat_action_t
Definition xlat.h:37
@ XLAT_ACTION_FAIL
An xlat function failed.
Definition xlat.h:44
@ XLAT_ACTION_DONE
We're done evaluating this level of nesting.
Definition xlat.h:43
Definition for a single argument consumed by an xlat function.
Definition xlat.h:145
#define FR_DICTIONARY_INTERNAL_DIR
Definition conf.h:8
static fr_slen_t parent
Definition pair.h:858
char const * fr_strerror(void)
Get the last library error.
Definition strerror.c:558
void fr_perror(char const *fmt,...)
Print the current error to stderr with a prefix.
Definition strerror.c:737
void fr_strerror_clear(void)
Clears all pending messages from the talloc pools.
Definition strerror.c:581
#define fr_strerror_printf(_fmt,...)
Log to thread local error buffer.
Definition strerror.h:64
#define fr_strerror_const(_msg)
Definition strerror.h:223
int fr_value_box_bstrndup(TALLOC_CTX *ctx, fr_value_box_t *dst, fr_dict_attr_t const *enumv, char const *src, size_t len, bool tainted)
Copy a string to to a fr_value_box_t.
Definition value.c:4838
#define fr_value_box_alloc_null(_ctx)
Allocate a value box for later use with a value assignment function.
Definition value.h:655
static size_t char ** out
Definition value.h:1030
const conf_parser_t virtual_servers_on_read_config[]
const conf_parser_t virtual_servers_config[]
An xlat calling ctx.
Definition xlat_ctx.h:49
void xlat_func_flags_set(xlat_t *x, xlat_func_flags_t flags)
Specify flags that alter the xlat's behaviour.
Definition xlat_func.c:392
int xlat_func_args_set(xlat_t *x, xlat_arg_parser_t const args[])
Register the arguments of an xlat.
Definition xlat_func.c:365
xlat_t * xlat_func_register(TALLOC_CTX *ctx, char const *name, xlat_func_t func, fr_type_t return_type)
Register an xlat function.
Definition xlat_func.c:216
int xlat_func_init(void)
Definition xlat_func.c:540
@ XLAT_FUNC_FLAG_PURE
Definition xlat_func.h:38