2 * mainconf.c Handle the server's configuration.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2002,2006-2007 The FreeRADIUS server project
21 * Copyright 2002 Alan DeKok <aland@ox.org>
26 #include <freeradius-devel/radiusd.h>
27 #include <freeradius-devel/modules.h>
28 #include <freeradius-devel/rad_assert.h>
44 #ifdef HAVE_SYS_STAT_H
45 # include <sys/stat.h>
52 struct main_config_t main_config;
53 fr_cond_t *debug_condition;
54 extern bool log_dates_utc;
56 typedef struct cached_config_t {
57 struct cached_config_t *next;
62 static cached_config_t *cs_cache = NULL;
65 * Temporary local variables for parsing the configuration
70 * Systems that have set/getresuid also have setuid.
72 static uid_t server_uid = 0;
73 static gid_t server_gid = 0;
74 static char const *uid_name = NULL;
75 static char const *gid_name = NULL;
77 static char const *chroot_dir = NULL;
78 static bool allow_core_dumps = false;
79 static char const *radlog_dest = NULL;
82 * These are not used anywhere else..
84 static char const *localstatedir = NULL;
85 static char const *prefix = NULL;
86 static char const *my_name = NULL;
87 static char const *sbindir = NULL;
88 static char const *run_dir = NULL;
89 static char const *syslog_facility = NULL;
90 static bool do_colourise = false;
92 static char const *radius_dir = NULL; //!< Path to raddb directory
96 * Security configuration for the server.
98 static const CONF_PARSER security_config[] = {
99 { "max_attributes", FR_CONF_POINTER(PW_TYPE_INTEGER, &fr_max_attributes), STRINGIFY(0) },
100 { "reject_delay", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.reject_delay), STRINGIFY(0) },
101 { "status_server", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.status_server), "no"},
102 { "allow_vulnerable_openssl", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.allow_vulnerable_openssl), "no"},
103 { NULL, -1, 0, NULL, NULL }
108 * Logging configuration for the server.
110 static const CONF_PARSER logdest_config[] = {
111 { "destination", FR_CONF_POINTER(PW_TYPE_STRING, &radlog_dest), "files" },
112 { "syslog_facility", FR_CONF_POINTER(PW_TYPE_STRING, &syslog_facility), STRINGIFY(0) },
114 { "file", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.log_file), "${logdir}/radius.log" },
115 { "requests", FR_CONF_POINTER(PW_TYPE_STRING, &default_log.file), NULL },
116 { NULL, -1, 0, NULL, NULL }
120 static const CONF_PARSER serverdest_config[] = {
121 { "log", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) logdest_config },
122 { "log_file", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.log_file), NULL },
123 { "log_destination", FR_CONF_POINTER(PW_TYPE_STRING, &radlog_dest), NULL },
124 { "use_utc", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &log_dates_utc), NULL },
125 { NULL, -1, 0, NULL, NULL }
129 static const CONF_PARSER log_config_nodest[] = {
130 { "stripped_names", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &log_stripped_names),"no" },
131 { "auth", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.log_auth), "no" },
132 { "auth_badpass", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.log_auth_badpass), "no" },
133 { "auth_goodpass", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.log_auth_goodpass), "no" },
134 { "msg_badpass", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.auth_badpass_msg), NULL},
135 { "msg_goodpass", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.auth_goodpass_msg), NULL},
136 { "colourise",FR_CONF_POINTER(PW_TYPE_BOOLEAN, &do_colourise), NULL },
137 { "use_utc", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &log_dates_utc), NULL },
138 { "msg_denied", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.denied_msg),
139 "You are already logged in - access denied" },
141 { NULL, -1, 0, NULL, NULL }
146 * A mapping of configuration file names to internal variables
148 static const CONF_PARSER server_config[] = {
150 * FIXME: 'prefix' is the ONLY one which should be
151 * configured at compile time. Hard-coding it here is
152 * bad. It will be cleaned up once we clean up the
153 * hard-coded defines for the locations of the various
156 { "name", FR_CONF_POINTER(PW_TYPE_STRING, &my_name), "radiusd"},
157 { "prefix", FR_CONF_POINTER(PW_TYPE_STRING, &prefix), "/usr/local"},
158 { "localstatedir", FR_CONF_POINTER(PW_TYPE_STRING, &localstatedir), "${prefix}/var"},
159 { "sbindir", FR_CONF_POINTER(PW_TYPE_STRING, &sbindir), "${prefix}/sbin"},
160 { "logdir", FR_CONF_POINTER(PW_TYPE_STRING, &radlog_dir), "${localstatedir}/log"},
161 { "run_dir", FR_CONF_POINTER(PW_TYPE_STRING, &run_dir), "${localstatedir}/run/${name}"},
162 { "libdir", FR_CONF_POINTER(PW_TYPE_STRING, &radlib_dir), "${prefix}/lib"},
163 { "radacctdir", FR_CONF_POINTER(PW_TYPE_STRING, &radacct_dir), "${logdir}/radacct" },
164 { "panic_action", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.panic_action), NULL},
165 { "hostname_lookups", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &fr_dns_lookups), "no" },
166 { "max_request_time", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.max_request_time), STRINGIFY(MAX_REQUEST_TIME) },
167 { "cleanup_delay", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.cleanup_delay), STRINGIFY(CLEANUP_DELAY) },
168 { "max_requests", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.max_requests), STRINGIFY(MAX_REQUESTS) },
169 { "pidfile", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.pid_file), "${run_dir}/radiusd.pid"},
170 { "checkrad", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.checkrad), "${sbindir}/checkrad" },
172 { "debug_level", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.debug_level), "0"},
175 { "proxy_requests", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.proxy_requests), "yes" },
177 { "log", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) log_config_nodest },
180 * People with old configs will have these. They are listed
181 * AFTER the "log" section, so if they exist in radiusd.conf,
182 * it will prefer "log_foo = bar" to "log { foo = bar }".
183 * They're listed with default values of NULL, so that if they
184 * DON'T exist in radiusd.conf, then the previously parsed
185 * values for "log { foo = bar}" will be used.
187 { "log_auth", FR_CONF_POINTER(PW_TYPE_BOOLEAN | PW_TYPE_DEPRECATED, &main_config.log_auth), NULL },
188 { "log_auth_badpass", FR_CONF_POINTER(PW_TYPE_BOOLEAN | PW_TYPE_DEPRECATED, &main_config.log_auth_badpass), NULL },
189 { "log_auth_goodpass", FR_CONF_POINTER(PW_TYPE_BOOLEAN | PW_TYPE_DEPRECATED, &main_config.log_auth_goodpass), NULL },
190 { "log_stripped_names", FR_CONF_POINTER(PW_TYPE_BOOLEAN | PW_TYPE_DEPRECATED, &log_stripped_names), NULL },
192 { "security", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) security_config },
194 { NULL, -1, 0, NULL, NULL }
197 static const CONF_PARSER bootstrap_security_config[] = {
199 { "user", FR_CONF_POINTER(PW_TYPE_STRING, &uid_name), NULL },
200 { "group", FR_CONF_POINTER(PW_TYPE_STRING, &gid_name), NULL },
202 { "chroot", FR_CONF_POINTER(PW_TYPE_STRING, &chroot_dir), NULL },
203 { "allow_core_dumps", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &allow_core_dumps), "no" },
205 { NULL, -1, 0, NULL, NULL }
208 static const CONF_PARSER bootstrap_config[] = {
209 { "security", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) bootstrap_security_config },
212 * For backwards compatibility.
215 { "user", FR_CONF_POINTER(PW_TYPE_STRING | PW_TYPE_DEPRECATED, &uid_name), NULL },
216 { "group", FR_CONF_POINTER(PW_TYPE_STRING | PW_TYPE_DEPRECATED, &gid_name), NULL },
218 { "chroot", FR_CONF_POINTER(PW_TYPE_STRING | PW_TYPE_DEPRECATED, &chroot_dir), NULL },
219 { "allow_core_dumps", FR_CONF_POINTER(PW_TYPE_BOOLEAN | PW_TYPE_DEPRECATED, &allow_core_dumps), NULL },
221 { NULL, -1, 0, NULL, NULL }
226 #define MAX_ARGV (256)
229 static size_t config_escape_func(UNUSED REQUEST *request, char *out, size_t outlen, char const *in, UNUSED void *arg)
232 static char const disallowed[] = "%{}\\'\"`";
236 * Non-printable characters get replaced with their
237 * mime-encoded equivalents.
240 if (outlen <= 3) break;
242 snprintf(out, outlen, "=%02X", (unsigned char) in[0]);
249 } else if (strchr(disallowed, *in) != NULL) {
250 if (outlen <= 2) break;
262 * Only one byte left.
282 * Xlat for %{config:section.subsection.attribute}
284 static ssize_t xlat_config(UNUSED void *instance, REQUEST *request, char const *fmt, char *out, size_t outlen)
294 if (radius_xlat(buffer, sizeof(buffer), request, fmt, config_escape_func, NULL) < 0) {
298 ci = cf_reference_item(request->root->config,
299 request->root->config, buffer);
300 if (!ci || !cf_item_is_pair(ci)) {
301 REDEBUG("Config item \"%s\" does not exist", fmt);
306 cp = cf_itemtopair(ci);
309 * Ensure that we only copy what's necessary.
311 * If 'outlen' is too small, then the output is chopped to fit.
313 value = cf_pair_value(cp);
319 if (outlen > strlen(value)) {
320 outlen = strlen(value) + 1;
323 strlcpy(out, value, outlen);
330 * Xlat for %{client:foo}
332 static ssize_t xlat_client(UNUSED void *instance, REQUEST *request, char const *fmt, char *out, size_t outlen)
334 char const *value = NULL;
337 if (!fmt || !out || (outlen < 1)) return 0;
339 if (!request->client) {
340 RWDEBUG("No client associated with this request");
345 cp = cf_pair_find(request->client->cs, fmt);
346 if (!cp || !(value = cf_pair_value(cp))) {
347 if (strcmp(fmt, "shortname") == 0) {
348 strlcpy(out, request->client->shortname, outlen);
351 RDEBUG("Client does not contain config item \"%s\"", fmt);
356 strlcpy(out, value, outlen);
362 * Xlat for %{getclient:<ipaddr>.foo}
364 static ssize_t xlat_getclient(UNUSED void *instance, REQUEST *request, char const *fmt, char *out, size_t outlen)
366 char const *value = NULL;
367 char buffer[INET6_ADDRSTRLEN], *q;
371 RADCLIENT *client = NULL;
373 if (!fmt || !out || (outlen < 1)) return 0;
376 if (!q || (q == p) || (((size_t)(q - p)) > sizeof(buffer))) {
377 REDEBUG("Invalid client string");
381 strlcpy(buffer, p, (q + 1) - p);
382 if (fr_pton(&ip, buffer, 0, false) <= 0) {
383 REDEBUG("\"%s\" is not a valid IPv4 or IPv6 address", buffer);
389 client = client_find(NULL, &ip, IPPROTO_IP);
391 RDEBUG("No client found with IP \"%s\"", buffer);
396 cp = cf_pair_find(client->cs, fmt);
397 if (!cp || !(value = cf_pair_value(cp))) {
398 if (strcmp(fmt, "shortname") == 0) {
399 strlcpy(out, request->client->shortname, outlen);
402 RDEBUG("Client does not contain config item \"%s\"", fmt);
407 strlcpy(out, value, outlen);
416 static bool doing_setuid = false;
418 # if defined(HAVE_SETRESUID) && defined (HAVE_GETRESUID)
419 void fr_suid_up(void)
421 uid_t ruid, euid, suid;
423 if (getresuid(&ruid, &euid, &suid) < 0) {
424 ERROR("Failed getting saved UID's");
428 if (setresuid(-1, suid, -1) < 0) {
429 ERROR("Failed switching to privileged user");
433 if (geteuid() != suid) {
434 ERROR("Switched to unknown UID");
439 void fr_suid_down(void)
441 if (!doing_setuid) return;
443 if (setresuid(-1, server_uid, geteuid()) < 0) {
444 fprintf(stderr, "%s: Failed switching to uid %s: %s\n",
445 progname, uid_name, fr_syserror(errno));
449 if (geteuid() != server_uid) {
450 fprintf(stderr, "%s: Failed switching uid: UID is incorrect\n",
455 fr_set_dumpable(allow_core_dumps);
458 void fr_suid_down_permanent(void)
460 if (!doing_setuid) return;
462 if (setresuid(server_uid, server_uid, server_uid) < 0) {
463 ERROR("Failed in permanent switch to uid %s: %s",
464 uid_name, fr_syserror(errno));
468 if (geteuid() != server_uid) {
469 ERROR("Switched to unknown uid");
473 fr_set_dumpable(allow_core_dumps);
477 * Much less secure...
479 void fr_suid_up(void)
483 void fr_suid_down(void)
485 if (!uid_name) return;
487 if (setuid(server_uid) < 0) {
488 fprintf(stderr, "%s: Failed switching to uid %s: %s\n",
489 progname, uid_name, fr_syserror(errno));
493 fr_set_dumpable(allow_core_dumps);
496 void fr_suid_down_permanent(void)
498 fr_set_dumpable(allow_core_dumps);
500 # endif /* HAVE_SETRESUID && HAVE_GETRESUID */
501 #else /* HAVE_SETUID */
502 void fr_suid_up(void)
505 void fr_suid_down(void)
507 fr_set_dumpable(allow_core_dumps);
509 void fr_suid_down_permanent(void)
511 fr_set_dumpable(allow_core_dumps);
513 #endif /* HAVE_SETUID */
518 * Do chroot, if requested.
520 * Switch UID and GID to what is specified in the config file
522 static int switch_users(CONF_SECTION *cs)
525 * Get the current maximum for core files. Do this
526 * before anything else so as to ensure it's properly
529 if (fr_set_dumpable_init() < 0) {
530 fr_perror("radiusd");
535 * Don't do chroot/setuid/setgid if we're in debugging
538 if (debug_flag && (getuid() != 0)) return 1;
540 if (cf_section_parse(cs, NULL, bootstrap_config) < 0) {
541 fprintf(stderr, "radiusd: Error: Failed to parse user/group information.\n");
551 gr = getgrnam(gid_name);
553 fprintf(stderr, "%s: Cannot get ID for group %s: %s\n",
554 progname, gid_name, fr_syserror(errno));
557 server_gid = gr->gr_gid;
559 server_gid = getgid();
568 pw = getpwnam(uid_name);
570 fprintf(stderr, "%s: Cannot get passwd entry for user %s: %s\n",
571 progname, uid_name, fr_syserror(errno));
575 if (getuid() == pw->pw_uid) {
579 server_uid = pw->pw_uid;
580 #ifdef HAVE_INITGROUPS
581 if (initgroups(uid_name, server_gid) < 0) {
582 fprintf(stderr, "%s: Cannot initialize supplementary group list for user %s: %s\n",
583 progname, uid_name, fr_syserror(errno));
589 server_uid = getuid();
594 if (chroot(chroot_dir) < 0) {
595 fprintf(stderr, "%s: Failed to perform chroot %s: %s",
596 progname, chroot_dir, fr_syserror(errno));
601 * Note that we leave chdir alone. It may be
602 * OUTSIDE of the root. This allows us to read
603 * the configuration from "-d ./etc/raddb", with
604 * the chroot as "./chroot/" for example. After
605 * the server has been loaded, it does a "cd
606 * ${logdir}" below, so that core files (if any)
607 * go to a logging directory.
609 * This also allows the configuration of the
610 * server to be outside of the chroot. If the
611 * server is statically linked, then the only
612 * things needed inside of the chroot are the
613 * logging directories.
619 if (gid_name && (setgid(server_gid) < 0)) {
620 fprintf(stderr, "%s: Failed setting group to %s: %s",
621 progname, gid_name, fr_syserror(errno));
628 * Just before losing root permissions, ensure that the
629 * log files have the correct owner && group.
631 * We have to do this because the log file MAY have been
632 * specified on the command-line.
634 if (uid_name || gid_name) {
635 if ((default_log.dst == L_DST_FILES) &&
636 (default_log.fd < 0)) {
637 default_log.fd = open(main_config.log_file,
638 O_WRONLY | O_APPEND | O_CREAT, 0640);
639 if (default_log.fd < 0) {
640 fprintf(stderr, "radiusd: Failed to open log file %s: %s\n", main_config.log_file, fr_syserror(errno));
644 if (chown(main_config.log_file, server_uid, server_gid) < 0) {
645 fprintf(stderr, "%s: Cannot change ownership of log file %s: %s\n",
646 progname, main_config.log_file, fr_syserror(errno));
660 * This also clears the dumpable flag if core dumps
663 if (fr_set_dumpable(allow_core_dumps) < 0) {
664 ERROR("%s", fr_strerror());
667 if (allow_core_dumps) {
668 INFO("Core dumps are enabled");
673 #endif /* HAVE_SETUID */
675 /** Set the global radius config directory.
677 * @param ctx Where to allocate the memory for the path string.
678 * @param path to config dir root e.g. /usr/local/etc/raddb
680 void set_radius_dir(TALLOC_CTX *ctx, char const *path)
685 memcpy(&p, &radius_dir, sizeof(p));
689 if (path) radius_dir = talloc_strdup(ctx, path);
692 /** Get the global radius config directory.
694 * @return the global radius config directory.
696 char const *get_radius_dir(void)
704 * This function can ONLY be called from the main server process.
706 int main_config_init(void)
708 char const *p = NULL;
714 if (stat(radius_dir, &statbuf) < 0) {
715 ERROR("Errors reading %s: %s",
716 radius_dir, fr_syserror(errno));
721 if ((statbuf.st_mode & S_IWOTH) != 0) {
722 ERROR("Configuration directory %s is globally writable. Refusing to start due to insecure configuration.",
729 if (0 && (statbuf.st_mode & S_IROTH) != 0) {
730 ERROR("Configuration directory %s is globally readable. Refusing to start due to insecure configuration.",
735 INFO("Starting - reading configuration files ...");
738 * We need to load the dictionaries before reading the
739 * configuration files. This is because of the
740 * pre-compilation in conffile.c. That should probably
741 * be fixed to be done as a second stage.
743 if (!main_config.dictionary_dir) {
744 main_config.dictionary_dir = DICTDIR;
748 * Read the distribution dictionaries first, then
751 DEBUG2("including dictionary file %s/%s", main_config.dictionary_dir, RADIUS_DICTIONARY);
752 if (dict_init(main_config.dictionary_dir, RADIUS_DICTIONARY) != 0) {
753 ERROR("Errors reading dictionary: %s",
758 #define DICT_READ_OPTIONAL(_d, _n) \
760 switch (dict_read(_d, _n)) {\
762 ERROR("Errors reading %s/%s: %s", _d, _n, fr_strerror());\
765 DEBUG2("including dictionary file %s/%s", _d,_n);\
773 * Try to load protocol-specific dictionaries. It's OK
774 * if they don't exist.
777 DICT_READ_OPTIONAL(main_config.dictionary_dir, "dictionary.dhcp");
781 DICT_READ_OPTIONAL(main_config.dictionary_dir, "dictionary.vqp");
785 * It's OK if this one doesn't exist.
787 DICT_READ_OPTIONAL(radius_dir, RADIUS_DICTIONARY);
789 /* Read the configuration file */
790 snprintf(buffer, sizeof(buffer), "%.200s/%.50s.conf",
791 radius_dir, main_config.name);
792 if ((cs = cf_file_read(buffer)) == NULL) {
793 ERROR("Errors reading or parsing %s", buffer);
798 * If there was no log destination set on the command line,
801 if (default_log.dst == L_DST_NULL) {
802 if (cf_section_parse(cs, NULL, serverdest_config) < 0) {
803 fprintf(stderr, "radiusd: Error: Failed to parse log{} section.\n");
809 fprintf(stderr, "radiusd: Error: No log destination specified.\n");
814 default_log.dst = fr_str2int(log_str2dst, radlog_dest,
816 if (default_log.dst == L_DST_NUM_DEST) {
817 fprintf(stderr, "radiusd: Error: Unknown log_destination %s\n",
823 if (default_log.dst == L_DST_SYSLOG) {
825 * Make sure syslog_facility isn't NULL
828 if (!syslog_facility) {
829 fprintf(stderr, "radiusd: Error: Syslog chosen but no facility was specified\n");
833 main_config.syslog_facility = fr_str2int(syslog_str2fac, syslog_facility, -1);
834 if (main_config.syslog_facility < 0) {
835 fprintf(stderr, "radiusd: Error: Unknown syslog_facility %s\n",
843 * Call openlog only once, when the
846 openlog(progname, LOG_PID, main_config.syslog_facility);
849 } else if (default_log.dst == L_DST_FILES) {
850 if (!main_config.log_file) {
851 fprintf(stderr, "radiusd: Error: Specified \"files\" as a log destination, but no log filename was given!\n");
860 * Switch users as early as possible.
862 if (!switch_users(cs)) fr_exit(1);
866 * Open the log file AFTER switching uid / gid. If we
867 * did switch uid/gid, then the code in switch_users()
868 * took care of setting the file permissions correctly.
870 if ((default_log.dst == L_DST_FILES) &&
871 (default_log.fd < 0)) {
872 default_log.fd = open(main_config.log_file,
873 O_WRONLY | O_APPEND | O_CREAT, 0640);
874 if (default_log.fd < 0) {
875 fprintf(stderr, "radiusd: Failed to open log file %s: %s\n", main_config.log_file, fr_syserror(errno));
882 * This allows us to figure out where, relative to
883 * radiusd.conf, the other configuration files exist.
885 if (cf_section_parse(cs, NULL, server_config) < 0) {
890 * We ignore colourization of output until after the
891 * configuration files have been parsed.
894 if (do_colourise && p && isatty(default_log.fd) && strstr(p, "xterm")) {
895 default_log.colourise = true;
897 default_log.colourise = false;
901 * Starting the server, WITHOUT "-x" on the
902 * command-line: use whatever is in the config
905 if (debug_flag == 0) {
906 debug_flag = main_config.debug_level;
908 fr_debug_flag = debug_flag;
910 FR_INTEGER_COND_CHECK("max_request_time", main_config.max_request_time, (main_config.max_request_time != 0), 100);
911 FR_INTEGER_BOUND_CHECK("reject_delay", main_config.reject_delay, <=, 10);
912 FR_INTEGER_BOUND_CHECK("cleanup_delay", main_config.cleanup_delay, <=, 10);
915 * Set default initial request processing delay to 1/3 of a second.
916 * Will be updated by the lowest response window across all home servers,
917 * if it is less than this.
919 main_config.init_delay.tv_sec = 0;
920 main_config.init_delay.tv_usec = 2* (1000000 / 3);
923 * Free the old configuration items, and replace them
926 * Note that where possible, we do atomic switch-overs,
927 * to ensure that the pointers are always valid.
929 rad_assert(main_config.config == NULL);
930 root_config = main_config.config = cs;
932 DEBUG2("%s: #### Loading Realms and Home Servers ####", main_config.name);
933 if (!realms_init(cs)) {
937 DEBUG2("%s: #### Loading Clients ####", main_config.name);
938 if (!clients_parse_section(cs, false)) {
943 * Register the %{config:section.subsection} xlat function.
945 xlat_register("config", xlat_config, NULL, NULL);
946 xlat_register("client", xlat_client, NULL, NULL);
947 xlat_register("getclient", xlat_getclient, NULL, NULL);
950 * Go update our behaviour, based on the configuration
955 * Sanity check the configuration for internal
958 FR_INTEGER_BOUND_CHECK("reject_delay", main_config.reject_delay, <=, main_config.cleanup_delay);
961 if (chdir(radlog_dir) < 0) {
962 ERROR("Failed to 'chdir %s' after chroot: %s",
963 radlog_dir, fr_syserror(errno));
968 cc = talloc_zero(NULL, cached_config_t);
971 cc->cs = talloc_steal(cc ,cs);
972 rad_assert(cs_cache == NULL);
975 /* Clear any unprocessed configuration errors */
976 (void) fr_strerror();
982 * Free the configuration. Called only when the server is exiting.
984 int main_config_free(void)
986 virtual_servers_free(0);
989 * Clean up the configuration data
994 listen_free(&main_config.listen);
997 * Frees current config and any previous configs.
999 TALLOC_FREE(cs_cache);
1005 void hup_logfile(void)
1009 if (default_log.dst != L_DST_FILES) return;
1011 fd = open(main_config.log_file,
1012 O_WRONLY | O_APPEND | O_CREAT, 0640);
1015 * Atomic swap. We'd like to keep the old
1016 * FD around so that callers don't
1017 * suddenly find the FD closed, and the
1018 * writes go nowhere. But that's hard to
1019 * do. So... we have the case where a
1020 * log message *might* be lost on HUP.
1022 old_fd = default_log.fd;
1023 default_log.fd = fd;
1028 void main_config_hup(void)
1030 cached_config_t *cc;
1034 INFO("HUP - Re-reading configuration files");
1036 /* Read the configuration file */
1037 snprintf(buffer, sizeof(buffer), "%.200s/%.50s.conf",
1038 radius_dir, main_config.name);
1039 if ((cs = cf_file_read(buffer)) == NULL) {
1040 ERROR("Failed to re-read or parse %s", buffer);
1044 cc = talloc_zero(cs_cache, cached_config_t);
1046 ERROR("Out of memory");
1051 * Save the current configuration. Note that we do NOT
1052 * free older ones. We should probably do so at some
1053 * point. Doing so will require us to mark which modules
1054 * are still in use, and which aren't. Modules that
1055 * can't be HUPed always use the original configuration.
1056 * Modules that can be HUPed use one of the newer
1059 cc->created = time(NULL);
1060 cc->cs = talloc_steal(cc, cs);
1061 cc->next = cs_cache;
1065 * Re-open the log file. If we can't, then keep logging
1066 * to the old log file.
1068 * The "open log file" code is here rather than in log.c,
1069 * because it makes that function MUCH simpler.
1073 INFO("HUP - loading modules");
1076 * Prefer the new module configuration.
1078 modules_hup(cf_section_sub_find(cs, "modules"));
1081 * Load new servers BEFORE freeing old ones.
1083 virtual_servers_load(cs);
1085 virtual_servers_free(cc->created - main_config.max_request_time * 4);