Control socket interface.
- namespace
-
Determine the current scope as a control service.
All configuration related to the control interface.
- transport
-
Define which communication channel.
UNIX socket-file as communication channel.
- filename
-
Socket location.
Most operating systems (other than Linux), do not respect permissions set on socket files.
To work around this issue, we ensure the permissions on the directory containing the socket, are sufficiently restrictive to only allow access by the FreeRADIUS user, or the gid below (if set).
It is recommended to house the socket in its own sub-directory. FreeRADIUS will create this sub-directory if it doesn’t exist and set the appropriate ownership and permissions.
- uid
-
Name of user who owns the control socket.
If this is not set, then the "security.user" configuration is used.
If that isn’t set, then the uid of the current user running radiusd is used.
Note that the control socket cannot have uid of 0.
- gid
-
Name of group which owns the control socket.
If this is not set, then the "security.group" configuration is used.
If that isn’t set, then the primary group (gid) of the current user running radiusd is used.
Note that the control socket cannot have gid of 0.
- mode
-
Access mode.
This can be used to give some administrators access to monitor the system, but not to change it.
ro = read only access (default) rw = read/write access.
As an additional check, the connecting process can be limited to a certain UID and GID. Either or both can be set. If one is set, it is checked and enforced.
Default Configuration
# In the future, we will add username/password checking for
# connections to the control socket. We will also add
# command authorization, where the commands entered by the
# administrator are run through a virtual server before
# they are executed.
# For now, anyone who has permission to connect to the socket
# has nearly complete control over the server. Be warned!
# NOTE: This functionality is NOT enabled by default.
# See also the "radmin" program, which is used to communicate
# with the server over the control socket.
server control-socket-server {
namespace = control
listen {
transport = unix
unix {
filename = ${run_dir}/control/${name}.sock
# uid = radius
# gid = radius
mode = rw
peercred {
# uid = something
# gid = something
}
}
}
}