> On Mon, 9 Sep 1996, Craig Brozefsky wrote:
>
> > does Livingston or other's who distribute a radiusd do this presently, or
> > are they planning to do this? Radius only access, accounting,
> > dictionary, users, logs and password files so it's very easy to build the
> > chrooted environment. It also allows you to use seperate password files
> > in case you us the UNIX keyword.
>
> I contemplated doing this (the chroot thing) to radiusd to make a
> secondary radiusd...but instead, I hacked linux's libshadow and made a
> function where I can specify an alternate shadow file, and made radiusd
> not care if getpwnam returns nothing. All the secondary is interested in
> is what getspnam returns.
>
This doesn't take care of several security problems which can compromise
the machine that radiusd is running on. There should be no binaries in
the chroot environment. You also don't have to remember which version of
the libshadow you linked with, my memory sucks 8)