case "$1" in
configure)
+ if ! id freerad >/dev/null 2>&1; then
+ addgroup --system freerad || true
+ groups freerad 2>/dev/null || adduser --system --no-create-home --home /etc/freeradius --ingroup freerad --disabled-password freerad
- addgroup --system freerad || true
- groups freerad 2>/dev/null || adduser --system --no-create-home --home /etc/freeradius --ingroup freerad --disabled-password freerad
+ # make sure there is a user and group 'freerad'
+ groups freerad |grep freerad >/dev/null
- # make sure there is a user and group 'freerad'
- groups freerad |grep freerad >/dev/null
-
- if [ "$2" = "" ] ; then
# put user freerad in group shadow, so the daemon can auth locally
- usermod -G shadow freerad
+ adduser freerad shadow
fi
update-rc.d freeradius defaults 50 >/dev/null
mkdir /var/run/freeradius
fi
- chown freerad:freerad /var/run/freeradius
+ chown -R freerad:freerad /var/log/freeradius
+ chown -R freerad:freerad /var/run/freeradius
+ chgrp -R freerad /etc/freeradius
- find /etc/freeradius -type f -exec chgrp freerad {} \; -exec chmod 640 {} \;
- find /etc/freeradius -type d -exec chgrp freerad {} \; -exec chmod 2750 {} \;
- find /var/log/freeradius -exec chown freerad {} \; -exec chgrp freerad {} \;
+ # Leave the file /etc/freeradius/dictionary with the default
+ # permissions: it should not contain secrets, and this allows
+ # to run radclient with a non-privileged user.
+ find /etc/freeradius -type d -exec chmod 2751 {} \;
+ find /etc/freeradius -type f \! -name dictionary -exec chmod 640 {} \;
- if [ "$2" = "" ] ; then
+ if [ -z "$2" ]; then
action="start"
else
action="restart"
fi
- if command -v invoke-rc.d >/dev/null 2>&1; then
+ if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
invoke-rc.d freeradius $action || true
else
/etc/init.d/freeradius $action
fi
-
;;
abort-upgrade)
;;
abort-remove)
- if command -v invoke-rc.d >/dev/null 2>&1; then
+ if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
invoke-rc.d freeradius start || true
else
/etc/init.d/freeradius start