2 * mainconf.c Handle the server's configuration.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2002,2006-2007 The FreeRADIUS server project
21 * Copyright 2002 Alan DeKok <aland@ox.org>
24 #include <freeradius-devel/ident.h>
27 #include <freeradius-devel/autoconf.h>
32 #ifdef HAVE_NETINET_IN_H
33 #include <netinet/in.h>
36 #ifdef HAVE_ARPA_INET_H
37 #include <arpa/inet.h>
40 #include <freeradius-devel/radiusd.h>
41 #include <freeradius-devel/rad_assert.h>
42 #include <freeradius-devel/modules.h>
43 #include <freeradius-devel/request_list.h>
45 #include <sys/resource.h>
51 #ifdef HAVE_SYS_PRTCL_H
52 #include <sys/prctl.h>
59 struct main_config_t mainconfig;
62 * Temporary local variables for parsing the configuration
65 static uid_t server_uid;
66 static gid_t server_gid;
69 * These are not used anywhere else..
71 static const char *localstatedir = NULL;
72 static const char *prefix = NULL;
73 static char *syslog_facility = NULL;
74 static const LRAD_NAME_NUMBER str2fac[] = {
85 { "daemon", LOG_DAEMON },
100 { "cron", LOG_CRON },
103 { "authpriv", LOG_AUTHPRIV },
109 { "local0", LOG_LOCAL0 },
112 { "local1", LOG_LOCAL1 },
115 { "local2", LOG_LOCAL2 },
118 { "local3", LOG_LOCAL3 },
121 { "local4", LOG_LOCAL4 },
124 { "local5", LOG_LOCAL5 },
127 { "local6", LOG_LOCAL6 },
130 { "local7", LOG_LOCAL7 },
136 * Map the proxy server configuration parameters to variables.
138 static const CONF_PARSER proxy_config[] = {
139 { "retry_delay", PW_TYPE_INTEGER, 0, &mainconfig.proxy_retry_delay, Stringify(RETRY_DELAY) },
140 { "retry_count", PW_TYPE_INTEGER, 0, &mainconfig.proxy_retry_count, Stringify(RETRY_COUNT) },
141 { "default_fallback", PW_TYPE_BOOLEAN, 0, &mainconfig.proxy_fallback, "no" },
142 { "dead_time", PW_TYPE_INTEGER, 0, &mainconfig.proxy_dead_time, Stringify(DEAD_TIME) },
143 { "wake_all_if_all_dead", PW_TYPE_BOOLEAN, 0, &mainconfig.wake_all_if_all_dead, "no" },
144 { "proxy_fail_type", PW_TYPE_STRING_PTR, 0, &mainconfig.proxy_fail_type, NULL},
145 { NULL, -1, 0, NULL, NULL }
150 * Security configuration for the server.
152 static const CONF_PARSER security_config[] = {
153 { "max_attributes", PW_TYPE_INTEGER, 0, &librad_max_attributes, Stringify(0) },
154 { "reject_delay", PW_TYPE_INTEGER, 0, &mainconfig.reject_delay, Stringify(0) },
155 { "status_server", PW_TYPE_BOOLEAN, 0, &mainconfig.status_server, "no"},
156 { NULL, -1, 0, NULL, NULL }
161 * syslog configuration for the server.
163 static const CONF_PARSER log_config[] = {
164 { "syslog_facility", PW_TYPE_STRING_PTR, 0, &syslog_facility, Stringify(0) },
165 { NULL, -1, 0, NULL, NULL }
170 * A mapping of configuration file names to internal variables
172 static const CONF_PARSER server_config[] = {
174 * FIXME: 'prefix' is the ONLY one which should be
175 * configured at compile time. Hard-coding it here is
176 * bad. It will be cleaned up once we clean up the
177 * hard-coded defines for the locations of the various
180 { "prefix", PW_TYPE_STRING_PTR, 0, &prefix, "/usr/local"},
181 { "localstatedir", PW_TYPE_STRING_PTR, 0, &localstatedir, "${prefix}/var"},
182 { "logdir", PW_TYPE_STRING_PTR, 0, &radlog_dir, "${localstatedir}/log"},
183 { "libdir", PW_TYPE_STRING_PTR, 0, &radlib_dir, "${prefix}/lib"},
184 { "radacctdir", PW_TYPE_STRING_PTR, 0, &radacct_dir, "${logdir}/radacct" },
185 { "hostname_lookups", PW_TYPE_BOOLEAN, 0, &librad_dodns, "no" },
187 { "snmp", PW_TYPE_BOOLEAN, 0, &mainconfig.do_snmp, "no" },
189 { "max_request_time", PW_TYPE_INTEGER, 0, &mainconfig.max_request_time, Stringify(MAX_REQUEST_TIME) },
190 { "cleanup_delay", PW_TYPE_INTEGER, 0, &mainconfig.cleanup_delay, Stringify(CLEANUP_DELAY) },
191 { "max_requests", PW_TYPE_INTEGER, 0, &mainconfig.max_requests, Stringify(MAX_REQUESTS) },
192 #ifdef DELETE_BLOCKED_REQUESTS
193 { "delete_blocked_requests", PW_TYPE_INTEGER, 0, &mainconfig.kill_unresponsive_children, Stringify(FALSE) },
195 { "allow_core_dumps", PW_TYPE_BOOLEAN, 0, &mainconfig.allow_core_dumps, "no" },
196 { "log_stripped_names", PW_TYPE_BOOLEAN, 0, &log_stripped_names,"no" },
198 { "log_file", PW_TYPE_STRING_PTR, -1, &mainconfig.log_file, "${logdir}/radius.log" },
199 { "log_auth", PW_TYPE_BOOLEAN, -1, &mainconfig.log_auth, "no" },
200 { "log_auth_badpass", PW_TYPE_BOOLEAN, 0, &mainconfig.log_auth_badpass, "no" },
201 { "log_auth_goodpass", PW_TYPE_BOOLEAN, 0, &mainconfig.log_auth_goodpass, "no" },
202 { "pidfile", PW_TYPE_STRING_PTR, 0, &mainconfig.pid_file, "${run_dir}/radiusd.pid"},
203 { "user", PW_TYPE_STRING_PTR, 0, &mainconfig.uid_name, NULL},
204 { "group", PW_TYPE_STRING_PTR, 0, &mainconfig.gid_name, NULL},
205 { "checkrad", PW_TYPE_STRING_PTR, 0, &mainconfig.checkrad, "${sbindir}/checkrad" },
207 { "debug_level", PW_TYPE_INTEGER, 0, &mainconfig.debug_level, "0"},
209 { "proxy_requests", PW_TYPE_BOOLEAN, 0, &mainconfig.proxy_requests, "yes" },
210 { "log", PW_TYPE_SUBSECTION, 0, NULL, (const void *) log_config},
211 { "proxy", PW_TYPE_SUBSECTION, 0, NULL, (const void *) proxy_config },
212 { "security", PW_TYPE_SUBSECTION, 0, NULL, (const void *) security_config },
213 { NULL, -1, 0, NULL, NULL }
217 #define MAX_ARGV (256)
219 * Xlat for %{config:section.subsection.attribute}
221 static int xlat_config(void *instance, REQUEST *request,
222 char *fmt, char *out,
224 RADIUS_ESCAPE_STRING func)
229 const char *from, *value;
233 char *argv[MAX_ARGV];
235 request = request; /* -Wunused */
236 instance = instance; /* -Wunused */
242 * Split the string into argv's BEFORE doing radius_xlat...
255 if (argc >= (MAX_ARGV - 1)) break;
258 * Copy the argv over to our buffer.
261 if (to >= myfmt + sizeof(myfmt) - 1) {
262 return 0; /* no error msg */
267 if (from[1] == '{') {
270 length = rad_copy_variable(to, from);
276 } else { /* FIXME: catch %%{ ? */
283 radlog(L_ERR, "config: Unexpected nested '[' in \"%s\"", fmt);
292 radlog(L_ERR, "config: Unbalanced ']' in \"%s\"", fmt);
295 if (from[1] != '.') {
296 radlog(L_ERR, "config: Unexpected text after ']' in \"%s\"", fmt);
305 if (flag == 0) break;
313 if ((*from == '.') && (flag == 0)) {
317 } /* end of string, or found a period */
320 radlog(L_ERR, "config: Unbalanced '[' in \"%s\"", fmt);
324 *(to++) = '\0'; /* terminate the string. */
328 * Expand each string, as appropriate
331 left = sizeof(argv_buf);
332 for (i = 0; i < argc; i++) {
336 * Don't touch argv's which won't be translated.
338 if (strchr(argv[i], '%') == NULL) continue;
340 sublen = radius_xlat(to, left - 1, argv[i], request, NULL);
343 * Fail to be backwards compatible.
345 * It's yucky, but it won't break anything,
346 * and it won't cause security problems.
363 cs = cf_section_find(NULL); /* get top-level section */
366 * Root through section & subsection references.
367 * The last entry of argv MUST be the CONF_PAIR.
369 for (i = 0; i < argc - 1; i++) {
374 * FIXME: What about RADIUS attributes containing '['?
376 name2 = strchr(argv[i], '[');
378 char *p = strchr(name2, ']');
379 rad_assert(p != NULL);
380 rad_assert(p[1] =='\0');
387 subcs = cf_section_sub_find_name2(cs, argv[i],
390 radlog(L_ERR, "config: section \"%s %s {}\" not found while dereferencing \"%s\"", argv[i], name2, fmt);
394 subcs = cf_section_sub_find(cs, argv[i]);
396 radlog(L_ERR, "config: section \"%s {}\" not found while dereferencing \"%s\"", argv[i], fmt);
401 } /* until argc - 1 */
404 * This can now have embedded periods in it.
406 cp = cf_pair_find(cs, argv[argc - 1]);
408 radlog(L_ERR, "config: item \"%s\" not found while dereferencing \"%s\"", argv[argc], fmt);
413 * Ensure that we only copy what's necessary.
415 * If 'outlen' is too small, then the output is chopped to fit.
417 value = cf_pair_value(cp);
419 if (outlen > strlen(value)) {
420 outlen = strlen(value) + 1;
424 return func(out, outlen, value);
429 * Recursively make directories.
431 static int r_mkdir(const char *part)
433 char *ptr, parentdir[500];
436 if (stat(part, &st) == 0)
439 ptr = strrchr(part, '/');
444 snprintf(parentdir, (ptr - part)+1, "%s", part);
446 if (r_mkdir(parentdir) != 0)
449 if (mkdir(part, 0770) != 0) {
450 radlog(L_ERR, "mkdir(%s) error: %s\n", part, strerror(errno));
458 * Checks if the log directory is writeable by a particular user.
460 static int radlogdir_iswritable(const char *effectiveuser)
462 struct passwd *pwent;
464 if (!radlog_dir || radlog_dir[0] != '/')
467 if (r_mkdir(radlog_dir) != 0)
470 /* FIXME: do we have this function? */
471 if (strstr(radlog_dir, "radius") == NULL)
474 /* we have a logdir that mentions 'radius', so it's probably
475 * safe to chown the immediate directory to be owned by the normal
476 * process owner. we gotta do it before we give up root. -chad
479 if (!effectiveuser) {
483 pwent = getpwnam(effectiveuser);
485 if (pwent == NULL) /* uh oh! */
488 if (chown(radlog_dir, pwent->pw_uid, -1) != 0)
496 * Switch UID and GID to what is specified in the config file
498 static int switch_users(void)
500 struct rlimit core_limits;
503 if (mainconfig.gid_name != NULL) {
506 gr = getgrnam(mainconfig.gid_name);
508 if (errno == ENOMEM) {
509 radlog(L_ERR|L_CONS, "Cannot switch to Group %s: out of memory", mainconfig.gid_name);
511 radlog(L_ERR|L_CONS, "Cannot switch group; %s doesn't exist", mainconfig.gid_name);
515 server_gid = gr->gr_gid;
516 if (setgid(server_gid) < 0) {
517 radlog(L_ERR|L_CONS, "Failed setting Group to %s: %s",
518 mainconfig.gid_name, strerror(errno));
522 server_gid = getgid();
526 if (mainconfig.uid_name != NULL) {
529 pw = getpwnam(mainconfig.uid_name);
531 if (errno == ENOMEM) {
532 radlog(L_ERR|L_CONS, "Cannot switch to User %s: out of memory", mainconfig.uid_name);
534 radlog(L_ERR|L_CONS, "Cannot switch user; %s doesn't exist", mainconfig.uid_name);
538 server_uid = pw->pw_uid;
539 #ifdef HAVE_INITGROUPS
540 if (initgroups(mainconfig.uid_name, server_gid) < 0) {
541 if (errno != EPERM) {
542 radlog(L_ERR|L_CONS, "Failed setting supplementary groups for User %s: %s", mainconfig.uid_name, strerror(errno));
547 if (setuid(server_uid) < 0) {
548 radlog(L_ERR|L_CONS, "Failed setting User to %s: %s", mainconfig.uid_name, strerror(errno));
553 /* Get the current maximum for core files. */
554 if (getrlimit(RLIMIT_CORE, &core_limits) < 0) {
555 radlog(L_ERR|L_CONS, "Failed to get current core limit: %s", strerror(errno));
559 if (mainconfig.allow_core_dumps) {
560 #ifdef HAVE_SYS_PRTCL_H
561 #ifdef PR_SET_DUMPABLE
562 if (prctl(PR_SET_DUMPABLE, 1) < 0) {
563 radlog(L_ERR|L_CONS,"Cannot enable core dumps: prctl(PR_SET_DUMPABLE) failed: '%s'",
569 if (setrlimit(RLIMIT_CORE, &core_limits) < 0) {
570 radlog(L_ERR|L_CONS, "Cannot update core dump limit: %s",
575 * If we're running as a daemon, and core
576 * dumps are enabled, log that information.
578 } else if ((core_limits.rlim_cur != 0) && !debug_flag)
579 radlog(L_INFO|L_CONS, "Core dumps are enabled.");
581 } else if (!debug_flag) {
583 * Not debugging. Set the core size to zero, to
584 * prevent security breaches. i.e. People
585 * reading passwords from the 'core' file.
587 struct rlimit limits;
590 limits.rlim_max = core_limits.rlim_max;
592 if (setrlimit(RLIMIT_CORE, &limits) < 0) {
593 radlog(L_ERR|L_CONS, "Cannot disable core dumps: %s",
600 * We've probably written to the log file already as
601 * root.root, so if we have switched users, we've got to
602 * update the ownership of the file.
604 if ((debug_flag == 0) &&
605 (mainconfig.radlog_dest == RADLOG_FILES) &&
606 (mainconfig.log_file != NULL)) {
607 chown(mainconfig.log_file, server_uid, server_gid);
615 * Create the linked list of realms from the new configuration type
616 * This way we don't have to change to much in the other source-files
618 static int generate_realms(const char *filename)
621 REALM *my_realms = NULL;
623 char *s, *t, *authhost, *accthost;
627 for (cs = cf_subsection_find_next(mainconfig.config, NULL, "realm");
629 cs = cf_subsection_find_next(mainconfig.config, cs, "realm")) {
630 name2 = cf_section_name2(cs);
632 radlog(L_CONS|L_ERR, "%s[%d]: Missing realm name",
633 filename, cf_section_lineno(cs));
637 * We've found a realm, allocate space for it
639 c = rad_malloc(sizeof(REALM));
640 memset(c, 0, sizeof(REALM));
645 * No authhost means LOCAL.
647 if ((authhost = cf_section_value_find(cs, "authhost")) == NULL) {
648 c->ipaddr.af = AF_INET;
649 c->ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_NONE);
652 if ((s = strchr(authhost, ':')) != NULL) {
654 c->auth_port = atoi(s);
656 c->auth_port = PW_AUTH_UDP_PORT;
658 if (strcmp(authhost, "LOCAL") == 0) {
660 * Local realms don't have an IP address,
663 c->ipaddr.af = AF_INET;
664 c->ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_NONE);
667 if (ip_hton(authhost, AF_INET,
669 radlog(L_ERR, "%s[%d]: Host %s not found",
670 filename, cf_section_lineno(cs),
677 * Double check length, just to be sure!
679 if (strlen(authhost) >= sizeof(c->server)) {
680 radlog(L_ERR, "%s[%d]: Server name of length %u is greater than allowed: %u",
681 filename, cf_section_lineno(cs),
683 sizeof(c->server) - 1);
689 * No accthost means LOCAL
691 if ((accthost = cf_section_value_find(cs, "accthost")) == NULL) {
692 c->acct_ipaddr.af = AF_INET;
693 c->acct_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_NONE);
696 if ((s = strchr(accthost, ':')) != NULL) {
698 c->acct_port = atoi(s);
700 c->acct_port = PW_ACCT_UDP_PORT;
702 if (strcmp(accthost, "LOCAL") == 0) {
704 * Local realms don't have an IP address,
707 c->acct_ipaddr.af = AF_INET;
708 c->acct_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_NONE);
711 if (ip_hton(accthost, AF_INET,
712 &c->acct_ipaddr) < 0) {
713 radlog(L_ERR, "%s[%d]: Host %s not found",
714 filename, cf_section_lineno(cs),
720 if (strlen(accthost) >= sizeof(c->acct_server)) {
721 radlog(L_ERR, "%s[%d]: Server name of length %u is greater than allowed: %u",
722 filename, cf_section_lineno(cs),
724 sizeof(c->acct_server) - 1);
729 if (strlen(name2) >= sizeof(c->realm)) {
730 radlog(L_ERR, "%s[%d]: Realm name of length %u is greater than allowed %u",
731 filename, cf_section_lineno(cs),
733 sizeof(c->server) - 1);
737 strcpy(c->realm, name2);
738 if (authhost) strcpy(c->server, authhost);
739 if (accthost) strcpy(c->acct_server, accthost);
742 * If one or the other of authentication/accounting
743 * servers is set to LOCALHOST, then don't require
746 rad_assert(c->ipaddr.af == AF_INET);
747 rad_assert(c->acct_ipaddr.af == AF_INET);
748 if ((c->ipaddr.ipaddr.ip4addr.s_addr != htonl(INADDR_NONE)) ||
749 (c->acct_ipaddr.ipaddr.ip4addr.s_addr != htonl(INADDR_NONE))) {
750 if ((s = cf_section_value_find(cs, "secret")) == NULL ) {
751 radlog(L_ERR, "%s[%d]: No shared secret supplied for realm: %s",
752 filename, cf_section_lineno(cs), name2);
756 if (strlen(s) >= sizeof(c->secret)) {
757 radlog(L_ERR, "%s[%d]: Secret of length %u is greater than the allowed maximum of %u.",
758 filename, cf_section_lineno(cs),
759 strlen(s), sizeof(c->secret) - 1);
762 strlcpy((char *)c->secret, s, sizeof(c->secret));
767 if ((cf_section_value_find(cs, "nostrip")) != NULL)
769 if ((cf_section_value_find(cs, "noacct")) != NULL)
771 if ((cf_section_value_find(cs, "trusted")) != NULL)
773 if ((cf_section_value_find(cs, "notrealm")) != NULL)
775 if ((cf_section_value_find(cs, "notsuffix")) != NULL)
777 if ((t = cf_section_value_find(cs,"ldflag")) != NULL) {
778 static const LRAD_NAME_NUMBER ldflags[] = {
780 { "round_robin", 1 },
784 c->ldflag = lrad_str2int(ldflags, t, -1);
785 if (c->ldflag == -1) {
786 radlog(L_ERR, "%s[%d]: Unknown value \"%s\" for ldflag",
787 filename, cf_section_lineno(cs),
793 c->ldflag = 0; /* non, make it fail-over */
796 c->acct_active = TRUE;
804 * And make these realms preferred over the ones
805 * in the 'realms' file.
807 *tail = mainconfig.realms;
808 mainconfig.realms = my_realms;
811 * Ensure that all of the flags agree for the realms.
813 * Yeah, it's O(N^2), but it's only once, and the
814 * maximum number of realms is small.
816 for(c = mainconfig.realms; c != NULL; c = c->next) {
820 * Check that we cannot load balance to LOCAL
821 * realms, as that doesn't make any sense.
823 rad_assert(c->ipaddr.af == AF_INET);
824 rad_assert(c->acct_ipaddr.af == AF_INET);
825 if ((c->ldflag == 1) &&
826 ((c->ipaddr.ipaddr.ip4addr.s_addr == htonl(INADDR_NONE)) ||
827 (c->acct_ipaddr.ipaddr.ip4addr.s_addr == htonl(INADDR_NONE)))) {
828 radlog(L_ERR | L_CONS, "ERROR: Realm %s cannot be load balanced to LOCAL",
834 * Compare this realm to all others, to ensure
835 * that the configuration is consistent.
837 for (this = c->next; this != NULL; this = this->next) {
838 if (strcasecmp(c->realm, this->realm) != 0) {
843 * Same realm: Different load balancing
846 if (c->ldflag != this->ldflag) {
847 radlog(L_ERR | L_CONS, "ERROR: Inconsistent value in realm %s for load balancing 'ldflag' attribute",
858 static const LRAD_NAME_NUMBER str2dest[] = {
859 { "null", RADLOG_NULL },
860 { "files", RADLOG_FILES },
861 { "syslog", RADLOG_SYSLOG },
862 { "stdout", RADLOG_STDOUT },
863 { "stderr", RADLOG_STDERR },
864 { NULL, RADLOG_NUM_DEST }
871 * This function can ONLY be called from the main server process.
873 int read_mainconfig(int reload)
875 static int old_debug_level = -1;
877 CONF_SECTION *cs, *oldcs;
878 rad_listen_t *listener;
881 if (stat(radius_dir, &statbuf) < 0) {
882 radlog(L_ERR|L_CONS, "Errors reading %s: %s",
883 radius_dir, strerror(errno));
887 if ((statbuf.st_mode & S_IWOTH) != 0) {
888 radlog(L_ERR|L_CONS, "Configuration directory %s is globally writable. Refusing to start due to insecure configuration.",
894 if (0 && (statbuf.st_mode & S_IROTH) != 0) {
895 radlog(L_ERR|L_CONS, "Configuration directory %s is globally readable. Refusing to start due to insecure configuration.",
900 /* Read the configuration file */
901 snprintf(buffer, sizeof(buffer), "%.200s/%.50s",
902 radius_dir, mainconfig.radiusd_conf);
903 if ((cs = cf_file_read(buffer)) == NULL) {
904 radlog(L_ERR|L_CONS, "Errors reading %s", buffer);
909 * Debug flag 1 MAY go to files.
910 * Debug flag 2 ALWAYS goes to stdout
912 * Parse the log_destination before printing anything else.
913 * All messages before this MUST be errors, which log.c
914 * will print to stderr, since log_file is NULL, too.
916 if (debug_flag < 2) {
918 char *radlog_dest = NULL;
920 rcode = cf_item_parse(cs, "log_destination",
921 PW_TYPE_STRING_PTR, &radlog_dest,
923 if (rcode < 0) return -1;
925 mainconfig.radlog_dest = lrad_str2int(str2dest, radlog_dest, RADLOG_NUM_DEST);
926 if (mainconfig.radlog_dest == RADLOG_NUM_DEST) {
927 fprintf(stderr, "radiusd: Error: Unknown log_destination %s\n",
930 cf_section_free(&cs);
934 if (mainconfig.radlog_dest == RADLOG_SYSLOG) {
935 static const CONF_PARSER syslog_config[] = {
936 { "log", PW_TYPE_SUBSECTION, 0, NULL, (const void *) log_config},
937 { NULL, -1, 0, NULL, NULL }
939 cf_section_parse(cs, NULL, syslog_config);
942 * Make sure syslog_facility isn't NULL before using it
944 if (!syslog_facility) {
945 fprintf(stderr, "radiusd: Error: Unknown syslog chosen but no facility spedified\n");
947 cf_section_free(&cs);
950 mainconfig.syslog_facility = lrad_str2int(str2fac, syslog_facility, -1);
951 if (mainconfig.syslog_facility < 0) {
952 fprintf(stderr, "radiusd: Error: Unknown syslog_facility %s\n",
955 free(syslog_facility);
956 cf_section_free(&cs);
961 if (mainconfig.radlog_dest == RADLOG_FILES) {
962 static const CONF_PARSER file_config[] = {
963 { "log_file", PW_TYPE_STRING_PTR, -1, &mainconfig.log_file, "${logdir}/radius.log" },
964 { NULL, -1, 0, NULL, NULL }
967 cf_section_parse(cs, NULL, file_config);
972 mainconfig.radlog_dest = RADLOG_STDOUT;
973 mainconfig.radlog_fd = STDOUT_FILENO;
976 radlog(L_INFO, "%s", radiusd_version);
978 radlog(L_INFO, "Starting - reading configuration files ...");
980 radlog(L_INFO, "Reloading - reading configuration files...");
983 /* Initialize the dictionary */
984 DEBUG2("read_config_files: reading dictionary");
985 if (dict_init(radius_dir, RADIUS_DICTIONARY) != 0) {
986 radlog(L_ERR|L_CONS, "Errors reading dictionary: %s",
992 * This allows us to figure out where, relative to
993 * radiusd.conf, the other configuration files exist.
995 cf_section_parse(cs, NULL, server_config);
999 * Merge the old with the new.
1002 CONF_SECTION *newcs;
1004 newcs = cf_section_sub_find(cs, "modules");
1005 oldcs = cf_section_sub_find(mainconfig.config, "modules");
1006 if (newcs && oldcs) {
1007 if (!cf_section_migrate(newcs, oldcs)) {
1008 radlog(L_ERR|L_CONS, "Fatal error migrating configuration data");
1016 * Free the old configuration items, and replace them
1017 * with the new ones.
1019 * Note that where possible, we do atomic switch-overs,
1020 * to ensure that the pointers are always valid.
1022 oldcs = mainconfig.config;
1023 mainconfig.config = cs;
1024 cf_section_free(&oldcs);
1027 * Old-style realms file.
1029 snprintf(buffer, sizeof(buffer), "%.200s/%.50s", radius_dir, RADIUS_REALMS);
1030 DEBUG2("read_config_files: reading realms");
1031 if (read_realms_file(buffer) < 0) {
1032 radlog(L_ERR|L_CONS, "Errors reading realms");
1037 * If there isn't any realms it isn't fatal..
1039 snprintf(buffer, sizeof(buffer), "%.200s/%.50s",
1040 radius_dir, mainconfig.radiusd_conf);
1041 if (generate_realms(buffer) < 0) {
1046 * Register the %{config:section.subsection} xlat function.
1048 xlat_register("config", xlat_config, NULL);
1051 * Set the libraries debugging flag to whatever the main
1052 * flag is. Note that on a SIGHUP, to turn the debugging
1053 * off, we do other magic.
1055 * Increase the debug level, if the configuration file
1056 * says to, OR, if we're decreasing the debug from what it
1057 * was before, allow that, too.
1059 if ((mainconfig.debug_level > debug_flag) ||
1060 (mainconfig.debug_level <= old_debug_level)) {
1061 debug_flag = mainconfig.debug_level;
1063 librad_debug = debug_flag;
1064 old_debug_level = mainconfig.debug_level;
1067 * Go update our behaviour, based on the configuration
1072 * The first time around, ensure that we can write to the
1077 * We need root to do mkdir() and chown(), so we
1078 * do this before giving up root.
1080 radlogdir_iswritable(mainconfig.uid_name);
1084 * We should really switch users earlier in the process.
1089 * Sanity check the configuration for internal
1092 if (mainconfig.reject_delay > mainconfig.cleanup_delay) {
1093 mainconfig.reject_delay = mainconfig.cleanup_delay;
1097 * Initialize the old "bind_address" and "port", first.
1102 * Read the list of listeners.
1104 snprintf(buffer, sizeof(buffer), "%.200s/%.50s",
1105 radius_dir, mainconfig.radiusd_conf);
1106 if (listen_init(buffer, &listener) < 0) {
1111 radlog(L_ERR|L_CONS, "Server is not configured to listen on any ports. Exiting.");
1115 listen_free(&mainconfig.listen);
1116 mainconfig.listen = listener;
1119 * Walk through the listeners. If we're listening on acct
1120 * or auth, read in the clients files, else ignore them.
1122 for (listener = mainconfig.listen;
1124 listener = listener->next) {
1125 if ((listener->type == RAD_LISTEN_AUTH) ||
1126 (listener->type == RAD_LISTEN_ACCT)) {
1131 if (listener != NULL) {
1132 RADCLIENT_LIST *clients, *old_clients;
1135 * Create the new clients first, and add them
1136 * to the CONF_SECTION, where they're automagically
1137 * freed if anything goes wrong.
1139 snprintf(buffer, sizeof(buffer), "%.200s/%.50s",
1140 radius_dir, mainconfig.radiusd_conf);
1141 clients = clients_parse_section(buffer, mainconfig.config);
1147 * Free the old trees AFTER replacing them with
1150 old_clients = mainconfig.clients;
1151 mainconfig.clients = clients;
1152 clients_free(old_clients);
1157 /* Reload the modules. */
1158 DEBUG2("radiusd: entering modules setup");
1159 if (setup_modules(reload) < 0) {
1160 radlog(L_ERR|L_CONS, "Errors setting up modules");
1167 * Free the configuration. Called only when the server is exiting.
1169 int free_mainconfig(void)
1172 * Clean up the configuration data
1175 cf_section_free(&mainconfig.config);
1176 free(mainconfig.radiusd_conf);
1177 realm_free(mainconfig.realms);
1178 listen_free(&mainconfig.listen);