2 * mainconf.c Handle the server's configuration.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2002,2006-2007 The FreeRADIUS server project
21 * Copyright 2002 Alan DeKok <aland@ox.org>
26 #include <freeradius-devel/radiusd.h>
27 #include <freeradius-devel/modules.h>
28 #include <freeradius-devel/modpriv.h>
29 #include <freeradius-devel/rad_assert.h>
43 main_config_t main_config; //!< Main server configuration.
44 extern fr_cond_t *debug_condition;
45 fr_cond_t *debug_condition = NULL; //!< Condition used to mark packets up for checking.
46 bool event_loop_started = false; //!< Whether the main event loop has been started yet.
48 typedef struct cached_config_t {
49 struct cached_config_t *next;
54 static cached_config_t *cs_cache = NULL;
57 * Temporary local variables for parsing the configuration
62 * Systems that have set/getresuid also have setuid.
64 static uid_t server_uid = 0;
65 static gid_t server_gid = 0;
66 static char const *uid_name = NULL;
67 static char const *gid_name = NULL;
69 static char const *chroot_dir = NULL;
70 static bool allow_core_dumps = false;
71 static char const *radlog_dest = NULL;
74 * These are not used anywhere else..
76 static char const *localstatedir = NULL;
77 static char const *prefix = NULL;
78 static char const *my_name = NULL;
79 static char const *sbindir = NULL;
80 static char const *run_dir = NULL;
81 static char const *syslog_facility = NULL;
82 static bool do_colourise = false;
84 static char const *radius_dir = NULL; //!< Path to raddb directory
86 /**********************************************************************
88 * We need to figure out where the logs go, before doing anything
89 * else. This is so that the log messages go to the correct
92 * BUT, we want the settings from the command line to over-ride
93 * the ones in the configuration file. So, these items are
94 * parsed ONLY if there is no "-l foo" on the command line.
96 **********************************************************************/
101 static const CONF_PARSER startup_log_config[] = {
102 { "destination", FR_CONF_POINTER(PW_TYPE_STRING, &radlog_dest), "files" },
103 { "syslog_facility", FR_CONF_POINTER(PW_TYPE_STRING, &syslog_facility), STRINGIFY(0) },
105 { "localstatedir", FR_CONF_POINTER(PW_TYPE_STRING, &localstatedir), "${prefix}/var"},
106 { "logdir", FR_CONF_POINTER(PW_TYPE_STRING, &radlog_dir), "${localstatedir}/log"},
107 { "file", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.log_file), "${logdir}/radius.log" },
108 { "requests", FR_CONF_POINTER(PW_TYPE_STRING | PW_TYPE_DEPRECATED, &default_log.file), NULL },
109 CONF_PARSER_TERMINATOR
114 * Basic configuration for the server.
116 static const CONF_PARSER startup_server_config[] = {
117 { "log", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) startup_log_config },
119 { "name", FR_CONF_POINTER(PW_TYPE_STRING, &my_name), "radiusd"},
120 { "prefix", FR_CONF_POINTER(PW_TYPE_STRING, &prefix), "/usr/local"},
122 { "log_file", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.log_file), NULL },
123 { "log_destination", FR_CONF_POINTER(PW_TYPE_STRING, &radlog_dest), NULL },
124 { "use_utc", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &log_dates_utc), NULL },
125 CONF_PARSER_TERMINATOR
129 /**********************************************************************
131 * Now that we've parsed the log destination, AND the security
132 * items, we can parse the rest of the configuration items.
134 **********************************************************************/
135 static const CONF_PARSER log_config[] = {
136 { "stripped_names", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &log_stripped_names),"no" },
137 { "auth", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.log_auth), "no" },
138 { "auth_badpass", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.log_auth_badpass), "no" },
139 { "auth_goodpass", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.log_auth_goodpass), "no" },
140 { "msg_badpass", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.auth_badpass_msg), NULL},
141 { "msg_goodpass", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.auth_goodpass_msg), NULL},
142 { "colourise",FR_CONF_POINTER(PW_TYPE_BOOLEAN, &do_colourise), NULL },
143 { "use_utc", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &log_dates_utc), NULL },
144 { "msg_denied", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.denied_msg), "You are already logged in - access denied" },
145 CONF_PARSER_TERMINATOR
150 * Security configuration for the server.
152 static const CONF_PARSER security_config[] = {
153 { "max_attributes", FR_CONF_POINTER(PW_TYPE_INTEGER, &fr_max_attributes), STRINGIFY(0) },
154 { "reject_delay", FR_CONF_POINTER(PW_TYPE_TIMEVAL, &main_config.reject_delay), STRINGIFY(0) },
155 { "status_server", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.status_server), "no"},
156 #ifdef ENABLE_OPENSSL_VERSION_CHECK
157 { "allow_vulnerable_openssl", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.allow_vulnerable_openssl), "no"},
159 CONF_PARSER_TERMINATOR
162 static const CONF_PARSER resources[] = {
164 * Don't set a default here. It's set in the code, below. This means that
165 * the config item will *not* get printed out in debug mode, so that no one knows
168 { "talloc_pool_size", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.talloc_pool_size), NULL },
169 CONF_PARSER_TERMINATOR
172 static const CONF_PARSER server_config[] = {
174 * FIXME: 'prefix' is the ONLY one which should be
175 * configured at compile time. Hard-coding it here is
176 * bad. It will be cleaned up once we clean up the
177 * hard-coded defines for the locations of the various
180 { "name", FR_CONF_POINTER(PW_TYPE_STRING, &my_name), "radiusd"},
181 { "prefix", FR_CONF_POINTER(PW_TYPE_STRING, &prefix), "/usr/local"},
182 { "localstatedir", FR_CONF_POINTER(PW_TYPE_STRING, &localstatedir), "${prefix}/var"},
183 { "sbindir", FR_CONF_POINTER(PW_TYPE_STRING, &sbindir), "${prefix}/sbin"},
184 { "logdir", FR_CONF_POINTER(PW_TYPE_STRING, &radlog_dir), "${localstatedir}/log"},
185 { "run_dir", FR_CONF_POINTER(PW_TYPE_STRING, &run_dir), "${localstatedir}/run/${name}"},
186 { "libdir", FR_CONF_POINTER(PW_TYPE_STRING, &radlib_dir), "${prefix}/lib"},
187 { "radacctdir", FR_CONF_POINTER(PW_TYPE_STRING, &radacct_dir), "${logdir}/radacct" },
188 { "panic_action", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.panic_action), NULL},
189 { "hostname_lookups", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &fr_dns_lookups), "no" },
190 { "max_request_time", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.max_request_time), STRINGIFY(MAX_REQUEST_TIME) },
191 { "cleanup_delay", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.cleanup_delay), STRINGIFY(CLEANUP_DELAY) },
192 { "max_requests", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.max_requests), STRINGIFY(MAX_REQUESTS) },
193 { "pidfile", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.pid_file), "${run_dir}/radiusd.pid"},
194 { "checkrad", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.checkrad), "${sbindir}/checkrad" },
196 { "debug_level", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.debug_level), "0"},
199 { "proxy_requests", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.proxy_requests), "yes" },
201 { "log", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) log_config },
203 { "resources", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) resources },
206 * People with old configs will have these. They are listed
207 * AFTER the "log" section, so if they exist in radiusd.conf,
208 * it will prefer "log_foo = bar" to "log { foo = bar }".
209 * They're listed with default values of NULL, so that if they
210 * DON'T exist in radiusd.conf, then the previously parsed
211 * values for "log { foo = bar}" will be used.
213 { "log_auth", FR_CONF_POINTER(PW_TYPE_BOOLEAN | PW_TYPE_DEPRECATED, &main_config.log_auth), NULL },
214 { "log_auth_badpass", FR_CONF_POINTER(PW_TYPE_BOOLEAN | PW_TYPE_DEPRECATED, &main_config.log_auth_badpass), NULL },
215 { "log_auth_goodpass", FR_CONF_POINTER(PW_TYPE_BOOLEAN | PW_TYPE_DEPRECATED, &main_config.log_auth_goodpass), NULL },
216 { "log_stripped_names", FR_CONF_POINTER(PW_TYPE_BOOLEAN | PW_TYPE_DEPRECATED, &log_stripped_names), NULL },
218 { "security", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) security_config },
219 CONF_PARSER_TERMINATOR
223 /**********************************************************************
225 * The next few items are here as a "bootstrap" for security.
226 * They allow the server to switch users, chroot, while still
227 * opening the various output files with the correct permission.
229 * It's rare (or impossible) to have parse errors here, so we
230 * don't worry too much about that. In contrast, when we parse
231 * the rest of the configuration, we CAN get parse errors. We
232 * want THOSE parse errors to go to the log file, and we want the
233 * log file to have the correct permissions.
235 **********************************************************************/
236 static const CONF_PARSER bootstrap_security_config[] = {
238 { "user", FR_CONF_POINTER(PW_TYPE_STRING, &uid_name), NULL },
239 { "group", FR_CONF_POINTER(PW_TYPE_STRING, &gid_name), NULL },
241 { "chroot", FR_CONF_POINTER(PW_TYPE_STRING, &chroot_dir), NULL },
242 { "allow_core_dumps", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &allow_core_dumps), "no" },
243 CONF_PARSER_TERMINATOR
246 static const CONF_PARSER bootstrap_config[] = {
247 { "security", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) bootstrap_security_config },
249 { "name", FR_CONF_POINTER(PW_TYPE_STRING, &my_name), "radiusd"},
250 { "prefix", FR_CONF_POINTER(PW_TYPE_STRING, &prefix), "/usr/local"},
251 { "localstatedir", FR_CONF_POINTER(PW_TYPE_STRING, &localstatedir), "${prefix}/var"},
253 { "logdir", FR_CONF_POINTER(PW_TYPE_STRING, &radlog_dir), "${localstatedir}/log"},
254 { "run_dir", FR_CONF_POINTER(PW_TYPE_STRING, &run_dir), "${localstatedir}/run/${name}"},
257 * For backwards compatibility.
260 { "user", FR_CONF_POINTER(PW_TYPE_STRING | PW_TYPE_DEPRECATED, &uid_name), NULL },
261 { "group", FR_CONF_POINTER(PW_TYPE_STRING | PW_TYPE_DEPRECATED, &gid_name), NULL },
263 { "chroot", FR_CONF_POINTER(PW_TYPE_STRING | PW_TYPE_DEPRECATED, &chroot_dir), NULL },
264 { "allow_core_dumps", FR_CONF_POINTER(PW_TYPE_BOOLEAN | PW_TYPE_DEPRECATED, &allow_core_dumps), NULL },
265 CONF_PARSER_TERMINATOR
269 static size_t config_escape_func(UNUSED REQUEST *request, char *out, size_t outlen, char const *in, UNUSED void *arg)
272 static char const disallowed[] = "%{}\\'\"`";
276 * Non-printable characters get replaced with their
277 * mime-encoded equivalents.
280 if (outlen <= 3) break;
282 snprintf(out, outlen, "=%02X", (unsigned char) in[0]);
289 } else if (strchr(disallowed, *in) != NULL) {
290 if (outlen <= 2) break;
302 * Only one byte left.
322 * Xlat for %{config:section.subsection.attribute}
324 static ssize_t xlat_config(UNUSED void *instance, REQUEST *request, char const *fmt, char *out, size_t outlen)
334 if (radius_xlat(buffer, sizeof(buffer), request, fmt, config_escape_func, NULL) < 0) {
338 ci = cf_reference_item(request->root->config,
339 request->root->config, buffer);
340 if (!ci || !cf_item_is_pair(ci)) {
341 REDEBUG("Config item \"%s\" does not exist", fmt);
346 cp = cf_item_to_pair(ci);
349 * Ensure that we only copy what's necessary.
351 * If 'outlen' is too small, then the output is chopped to fit.
353 value = cf_pair_value(cp);
359 if (outlen > strlen(value)) {
360 outlen = strlen(value) + 1;
363 strlcpy(out, value, outlen);
370 * Xlat for %{client:foo}
372 static ssize_t xlat_client(UNUSED void *instance, REQUEST *request, char const *fmt, char *out, size_t outlen)
374 char const *value = NULL;
377 if (!fmt || !out || (outlen < 1)) return 0;
379 if (!request->client) {
380 RWDEBUG("No client associated with this request");
385 cp = cf_pair_find(request->client->cs, fmt);
386 if (!cp || !(value = cf_pair_value(cp))) {
387 if (strcmp(fmt, "shortname") == 0 && request->client->shortname) {
388 value = request->client->shortname;
390 else if (strcmp(fmt, "nas_type") == 0 && request->client->nas_type) {
391 value = request->client->nas_type;
398 strlcpy(out, value, outlen);
404 * Xlat for %{getclient:<ipaddr>.foo}
406 static ssize_t xlat_getclient(UNUSED void *instance, REQUEST *request, char const *fmt, char *out, size_t outlen)
408 char const *value = NULL;
409 char buffer[INET6_ADDRSTRLEN], *q;
413 RADCLIENT *client = NULL;
415 if (!fmt || !out || (outlen < 1)) return 0;
418 if (!q || (q == p) || (((size_t)(q - p)) > sizeof(buffer))) {
419 REDEBUG("Invalid client string");
423 strlcpy(buffer, p, (q + 1) - p);
424 if (fr_pton(&ip, buffer, -1, AF_UNSPEC, false) < 0) {
425 REDEBUG("\"%s\" is not a valid IPv4 or IPv6 address", buffer);
431 client = client_find(NULL, &ip, IPPROTO_IP);
433 RDEBUG("No client found with IP \"%s\"", buffer);
438 cp = cf_pair_find(client->cs, fmt);
439 if (!cp || !(value = cf_pair_value(cp))) {
440 if (strcmp(fmt, "shortname") == 0) {
441 strlcpy(out, request->client->shortname, outlen);
448 strlcpy(out, value, outlen);
457 * Xlat for %{listen:foo}
459 static ssize_t xlat_listen(UNUSED void *instance, REQUEST *request,
460 char const *fmt, char *out, size_t outlen)
462 char const *value = NULL;
465 if (!fmt || !out || (outlen < 1)) return 0;
467 if (!request->listener) {
468 RWDEBUG("No listener associated with this request");
473 cp = cf_pair_find(request->listener->cs, fmt);
474 if (!cp || !(value = cf_pair_value(cp))) {
475 RDEBUG("Listener does not contain config item \"%s\"", fmt);
480 strlcpy(out, value, outlen);
487 * Do chroot, if requested.
489 * Switch UID and GID to what is specified in the config file
491 static int switch_users(CONF_SECTION *cs)
493 bool do_suid = false;
494 bool do_sgid = false;
497 * Get the current maximum for core files. Do this
498 * before anything else so as to ensure it's properly
501 if (fr_set_dumpable_init() < 0) {
502 fr_perror("%s", main_config.name);
507 * Don't do chroot/setuid/setgid if we're in debugging
510 if (rad_debug_lvl && (getuid() != 0)) return 1;
512 if (cf_section_parse(cs, NULL, bootstrap_config) < 0) {
513 fprintf(stderr, "%s: Error: Failed to parse user/group information.\n",
520 * Get the correct GID for the server.
522 server_gid = getgid();
527 gr = getgrnam(gid_name);
529 fprintf(stderr, "%s: Cannot get ID for group %s: %s\n",
530 main_config.name, gid_name, fr_syserror(errno));
534 if (server_gid != gr->gr_gid) {
535 server_gid = gr->gr_gid;
542 * Get the correct UID for the server.
544 server_uid = getuid();
549 if (rad_getpwnam(cs, &user, uid_name) < 0) {
550 fprintf(stderr, "%s: Cannot get passwd entry for user %s: %s\n",
551 main_config.name, uid_name, fr_strerror());
556 * We're not the correct user. Go set that.
558 if (server_uid != user->pw_uid) {
559 server_uid = user->pw_uid;
561 #ifdef HAVE_INITGROUPS
562 if (initgroups(uid_name, server_gid) < 0) {
563 fprintf(stderr, "%s: Cannot initialize supplementary group list for user %s: %s\n",
564 main_config.name, uid_name, fr_syserror(errno));
575 * Do chroot BEFORE changing UIDs.
578 if (chroot(chroot_dir) < 0) {
579 fprintf(stderr, "%s: Failed to perform chroot %s: %s",
580 main_config.name, chroot_dir, fr_syserror(errno));
585 * Note that we leave chdir alone. It may be
586 * OUTSIDE of the root. This allows us to read
587 * the configuration from "-d ./etc/raddb", with
588 * the chroot as "./chroot/" for example. After
589 * the server has been loaded, it does a "cd
590 * ${logdir}" below, so that core files (if any)
591 * go to a logging directory.
593 * This also allows the configuration of the
594 * server to be outside of the chroot. If the
595 * server is statically linked, then the only
596 * things needed inside of the chroot are the
597 * logging directories.
603 * Set the GID. Don't bother checking it.
606 if (setgid(server_gid) < 0){
607 fprintf(stderr, "%s: Failed setting group to %s: %s",
608 main_config.name, gid_name, fr_syserror(errno));
615 * The directories for PID files and logs must exist. We
616 * need to create them if we're told to write files to
619 * Because this creation is new in 3.0.9, it's a soft
623 if (main_config.write_pid) {
626 my_dir = talloc_strdup(NULL, run_dir);
627 if (rad_mkdir(my_dir, 0750, server_uid, server_gid) < 0) {
628 DEBUG("Failed to create run_dir %s: %s",
629 my_dir, strerror(errno));
634 if (default_log.dst == L_DST_FILES) {
637 my_dir = talloc_strdup(NULL, radlog_dir);
638 if (rad_mkdir(my_dir, 0750, server_uid, server_gid) < 0) {
639 DEBUG("Failed to create logdir %s: %s",
640 my_dir, strerror(errno));
646 * Once we're done with all of the privileged work,
647 * permanently change the UID.
650 rad_suid_set_down_uid(server_uid);
655 * If we don't already have a log file open, open one
656 * now. We may not have been logging anything yet. The
657 * server normally starts up fairly quietly.
659 if ((default_log.dst == L_DST_FILES) &&
660 (default_log.fd < 0)) {
661 default_log.fd = open(main_config.log_file,
662 O_WRONLY | O_APPEND | O_CREAT, 0640);
663 if (default_log.fd < 0) {
664 fprintf(stderr, "%s: Failed to open log file %s: %s\n",
665 main_config.name, main_config.log_file, fr_syserror(errno));
671 * If we need to change UID, ensure that the log files
672 * have the correct owner && group.
674 * We have to do this because some log files MAY already
675 * have been written as root. We need to change them to
676 * have the correct ownership before proceeding.
678 if ((do_suid || do_sgid) &&
679 (default_log.dst == L_DST_FILES)) {
680 if (fchown(default_log.fd, server_uid, server_gid) < 0) {
681 fprintf(stderr, "%s: Cannot change ownership of log file %s: %s\n",
682 main_config.name, main_config.log_file, fr_syserror(errno));
688 * This also clears the dumpable flag if core dumps
691 if (fr_set_dumpable(allow_core_dumps) < 0) {
692 ERROR("%s", fr_strerror());
695 if (allow_core_dumps) {
696 INFO("Core dumps are enabled");
701 #endif /* HAVE_SETUID */
703 /** Set the global radius config directory.
705 * @param ctx Where to allocate the memory for the path string.
706 * @param path to config dir root e.g. /usr/local/etc/raddb
708 void set_radius_dir(TALLOC_CTX *ctx, char const *path)
713 memcpy(&p, &radius_dir, sizeof(p));
717 if (path) radius_dir = talloc_strdup(ctx, path);
720 /** Get the global radius config directory.
722 * @return the global radius config directory.
724 char const *get_radius_dir(void)
732 * This function can ONLY be called from the main server process.
734 int main_config_init(void)
736 char const *p = NULL;
737 CONF_SECTION *cs, *subcs;
742 if (stat(radius_dir, &statbuf) < 0) {
743 ERROR("Errors reading %s: %s",
744 radius_dir, fr_syserror(errno));
749 if ((statbuf.st_mode & S_IWOTH) != 0) {
750 ERROR("Configuration directory %s is globally writable. Refusing to start due to insecure configuration.",
756 #if 0 && defined(S_IROTH)
757 if (statbuf.st_mode & S_IROTH != 0) {
758 ERROR("Configuration directory %s is globally readable. Refusing to start due to insecure configuration.",
763 INFO("Starting - reading configuration files ...");
766 * We need to load the dictionaries before reading the
767 * configuration files. This is because of the
768 * pre-compilation in conffile.c. That should probably
769 * be fixed to be done as a second stage.
771 if (!main_config.dictionary_dir) {
772 main_config.dictionary_dir = DICTDIR;
776 * About sizeof(REQUEST) + sizeof(RADIUS_PACKET) * 2 + sizeof(VALUE_PAIR) * 400
778 * Which should be enough for many configurations.
780 main_config.talloc_pool_size = 8 * 1024; /* default */
783 * Read the distribution dictionaries first, then
786 DEBUG2("including dictionary file %s/%s", main_config.dictionary_dir, RADIUS_DICTIONARY);
787 if (dict_init(main_config.dictionary_dir, RADIUS_DICTIONARY) != 0) {
788 ERROR("Errors reading dictionary: %s",
793 #define DICT_READ_OPTIONAL(_d, _n) \
795 switch (dict_read(_d, _n)) {\
797 ERROR("Errors reading %s/%s: %s", _d, _n, fr_strerror());\
800 DEBUG2("including dictionary file %s/%s", _d,_n);\
808 * Try to load protocol-specific dictionaries. It's OK
809 * if they don't exist.
812 DICT_READ_OPTIONAL(main_config.dictionary_dir, "dictionary.dhcp");
816 DICT_READ_OPTIONAL(main_config.dictionary_dir, "dictionary.vqp");
820 * It's OK if this one doesn't exist.
822 DICT_READ_OPTIONAL(radius_dir, RADIUS_DICTIONARY);
824 cs = cf_section_alloc(NULL, "main", NULL);
828 * Add a 'feature' subsection off the main config
829 * We check if it's defined first, as the user may
830 * have defined their own feature flags, or want
831 * to manually override the ones set by modules
834 subcs = cf_section_sub_find(cs, "feature");
836 subcs = cf_section_alloc(cs, "feature", NULL);
837 if (!subcs) return -1;
839 cf_section_add(cs, subcs);
841 version_init_features(subcs);
844 * Add a 'version' subsection off the main config
845 * We check if it's defined first, this is for
846 * backwards compatibility.
848 subcs = cf_section_sub_find(cs, "version");
850 subcs = cf_section_alloc(cs, "version", NULL);
851 if (!subcs) return -1;
852 cf_section_add(cs, subcs);
854 version_init_numbers(subcs);
856 /* Read the configuration file */
857 snprintf(buffer, sizeof(buffer), "%.200s/%.50s.conf", radius_dir, main_config.name);
858 if (cf_file_read(cs, buffer) < 0) {
859 ERROR("Errors reading or parsing %s", buffer);
865 * If there was no log destination set on the command line,
868 if (default_log.dst == L_DST_NULL) {
869 if (cf_section_parse(cs, NULL, startup_server_config) < 0) {
870 fprintf(stderr, "%s: Error: Failed to parse log{} section.\n",
877 fprintf(stderr, "%s: Error: No log destination specified.\n",
883 default_log.dst = fr_str2int(log_str2dst, radlog_dest,
885 if (default_log.dst == L_DST_NUM_DEST) {
886 fprintf(stderr, "%s: Error: Unknown log_destination %s\n",
887 main_config.name, radlog_dest);
892 if (default_log.dst == L_DST_SYSLOG) {
894 * Make sure syslog_facility isn't NULL
897 if (!syslog_facility) {
898 fprintf(stderr, "%s: Error: Syslog chosen but no facility was specified\n",
903 main_config.syslog_facility = fr_str2int(syslog_facility_table, syslog_facility, -1);
904 if (main_config.syslog_facility < 0) {
905 fprintf(stderr, "%s: Error: Unknown syslog_facility %s\n",
906 main_config.name, syslog_facility);
913 * Call openlog only once, when the
916 openlog(main_config.name, LOG_PID, main_config.syslog_facility);
919 } else if (default_log.dst == L_DST_FILES) {
920 if (!main_config.log_file) {
921 fprintf(stderr, "%s: Error: Specified \"files\" as a log destination, but no log filename was given!\n",
931 * Switch users as early as possible.
933 if (!switch_users(cs)) fr_exit(1);
937 * This allows us to figure out where, relative to
938 * radiusd.conf, the other configuration files exist.
940 if (cf_section_parse(cs, NULL, server_config) < 0) return -1;
943 * We ignore colourization of output until after the
944 * configuration files have been parsed.
947 if (do_colourise && p && isatty(default_log.fd) && strstr(p, "xterm")) {
948 default_log.colourise = true;
950 default_log.colourise = false;
954 * Starting the server, WITHOUT "-x" on the
955 * command-line: use whatever is in the config
958 if (rad_debug_lvl == 0) {
959 rad_debug_lvl = main_config.debug_level;
961 fr_debug_lvl = rad_debug_lvl;
963 FR_INTEGER_COND_CHECK("max_request_time", main_config.max_request_time,
964 (main_config.max_request_time != 0), 100);
967 * reject_delay can be zero. OR 1 though 10.
969 if ((main_config.reject_delay.tv_sec != 0) || (main_config.reject_delay.tv_usec != 0)) {
970 FR_TIMEVAL_BOUND_CHECK("reject_delay", &main_config.reject_delay, >=, 1, 0);
972 FR_TIMEVAL_BOUND_CHECK("reject_delay", &main_config.reject_delay, <=, 10, 0);
974 FR_INTEGER_BOUND_CHECK("cleanup_delay", main_config.cleanup_delay, <=, 10);
976 FR_INTEGER_BOUND_CHECK("resources.talloc_pool_size", main_config.talloc_pool_size, >=, 2 * 1024);
977 FR_INTEGER_BOUND_CHECK("resources.talloc_pool_size", main_config.talloc_pool_size, <=, 1024 * 1024);
980 * Set default initial request processing delay to 1/3 of a second.
981 * Will be updated by the lowest response window across all home servers,
982 * if it is less than this.
984 main_config.init_delay.tv_sec = 0;
985 main_config.init_delay.tv_usec = 2* (1000000 / 3);
988 * Free the old configuration items, and replace them
991 * Note that where possible, we do atomic switch-overs,
992 * to ensure that the pointers are always valid.
994 rad_assert(main_config.config == NULL);
995 root_config = main_config.config = cs;
997 DEBUG2("%s: #### Loading Realms and Home Servers ####", main_config.name);
998 if (!realms_init(cs)) {
1002 DEBUG2("%s: #### Loading Clients ####", main_config.name);
1003 if (!client_list_parse_section(cs, false)) {
1008 * Register the %{config:section.subsection} xlat function.
1010 xlat_register("config", xlat_config, NULL, NULL);
1011 xlat_register("client", xlat_client, NULL, NULL);
1012 xlat_register("getclient", xlat_getclient, NULL, NULL);
1013 xlat_register("listen", xlat_listen, NULL, NULL);
1016 * Go update our behaviour, based on the configuration
1021 * Sanity check the configuration for internal
1024 FR_TIMEVAL_BOUND_CHECK("reject_delay", &main_config.reject_delay, <=, main_config.cleanup_delay, 0);
1027 if (chdir(radlog_dir) < 0) {
1028 ERROR("Failed to 'chdir %s' after chroot: %s",
1029 radlog_dir, fr_syserror(errno));
1034 cc = talloc_zero(NULL, cached_config_t);
1037 cc->cs = talloc_steal(cc ,cs);
1038 rad_assert(cs_cache == NULL);
1041 /* Clear any unprocessed configuration errors */
1042 (void) fr_strerror();
1048 * Free the configuration. Called only when the server is exiting.
1050 int main_config_free(void)
1052 virtual_servers_free(0);
1055 * Clean up the configuration data
1058 client_list_free(NULL);
1060 listen_free(&main_config.listen);
1063 * Frees current config and any previous configs.
1065 TALLOC_FREE(cs_cache);
1071 void hup_logfile(void)
1075 if (default_log.dst != L_DST_FILES) return;
1077 fd = open(main_config.log_file,
1078 O_WRONLY | O_APPEND | O_CREAT, 0640);
1081 * Atomic swap. We'd like to keep the old
1082 * FD around so that callers don't
1083 * suddenly find the FD closed, and the
1084 * writes go nowhere. But that's hard to
1085 * do. So... we have the case where a
1086 * log message *might* be lost on HUP.
1088 old_fd = default_log.fd;
1089 default_log.fd = fd;
1094 static int hup_callback(void *ctx, void *data)
1096 CONF_SECTION *modules = ctx;
1097 CONF_SECTION *cs = data;
1098 CONF_SECTION *parent;
1100 module_instance_t *mi;
1103 * Files may be defined in sub-sections of a module
1104 * config. Walk up the tree until we find the module
1107 parent = cf_item_parent(cf_section_to_item(cs));
1108 while (parent != modules) {
1110 parent = cf_item_parent(cf_section_to_item(cs));
1113 * Something went wrong. Oh well...
1115 if (!parent) return 0;
1118 name = cf_section_name2(cs);
1119 if (!name) name = cf_section_name1(cs);
1121 mi = module_find(modules, name);
1124 if ((mi->entry->module->type & RLM_TYPE_HUP_SAFE) == 0) return 0;
1126 if (!module_hup_module(mi->cs, mi, time(NULL))) return 0;
1131 void main_config_hup(void)
1134 cached_config_t *cc;
1139 static time_t last_hup = 0;
1142 * Re-open the log file. If we can't, then keep logging
1143 * to the old log file.
1145 * The "open log file" code is here rather than in log.c,
1146 * because it makes that function MUCH simpler.
1151 * Only check the config files every few seconds.
1154 if ((last_hup + 2) >= when) {
1155 INFO("HUP - Last HUP was too recent. Ignoring");
1160 rcode = cf_file_changed(cs_cache->cs, hup_callback);
1161 if (rcode == CF_FILE_NONE) {
1162 INFO("HUP - No files changed. Ignoring");
1166 if (rcode == CF_FILE_ERROR) {
1167 INFO("HUP - Cannot read configuration files. Ignoring");
1172 * No config files have changed.
1174 if ((rcode & CF_FILE_CONFIG) == 0) {
1175 if ((rcode & CF_FILE_MODULE) != 0) {
1176 INFO("HUP - Files loaded by a module have changed.");
1179 * FIXME: reload the module.
1186 cs = cf_section_alloc(NULL, "main", NULL);
1189 /* Read the configuration file */
1190 snprintf(buffer, sizeof(buffer), "%.200s/%.50s.conf", radius_dir, main_config.name);
1192 INFO("HUP - Re-reading configuration files");
1193 if (cf_file_read(cs, buffer) < 0) {
1194 ERROR("Failed to re-read or parse %s", buffer);
1199 cc = talloc_zero(cs_cache, cached_config_t);
1201 ERROR("Out of memory");
1206 * Save the current configuration. Note that we do NOT
1207 * free older ones. We should probably do so at some
1208 * point. Doing so will require us to mark which modules
1209 * are still in use, and which aren't. Modules that
1210 * can't be HUPed always use the original configuration.
1211 * Modules that can be HUPed use one of the newer
1214 cc->created = time(NULL);
1215 cc->cs = talloc_steal(cc, cs);
1216 cc->next = cs_cache;
1219 INFO("HUP - loading modules");
1222 * Prefer the new module configuration.
1224 modules_hup(cf_section_sub_find(cs, "modules"));
1227 * Load new servers BEFORE freeing old ones.
1229 virtual_servers_load(cs);
1231 virtual_servers_free(cc->created - (main_config.max_request_time * 4));