tmpfolder can't be used on Ubuntu 22.04 due PrivateTmp Systemd option enabled by default

[megothub]

What type of defect/bug is this?

Crash or memory corruption (segv, abort, etc...)

How can the issue be reproduced?

OS: Ubuntu 22.04
freeradius to be started as service
no issues if started with freeradius -X

Issue itself: tmpdir can't be used
(E.g. in case if EAP configuration with requirement to check certificates)

described in
/etc/freeradius.old/3.0/mods-enabled/eap

                        #  A temporary directory where the client
                        #  certificates are stored.  This directory
                        #  MUST be owned by the UID of the server,
                        #  and MUST not be accessible by any other
                        #  users.  When the server starts, it will do
                        #  "chmod go-rwx" on the directory, for
                        #  security reasons.  The directory MUST
                        #  exist when the server starts.
                        #
                        #  You should also delete all of the files
                        #  in the directory when the server starts.
                        #
                #       tmpdir = /tmp/radiusd

When directory created and configured as described above freeradius keeps failing with the following error (/var/log/syslog)
Jun 17 15:28:51 vm freeradius[233969]: tls: Failed changing permissions on /tmp/radiusd: No such file or directory

After investigation it is clear that default systemd script:
/lib/systemd/system/freeradius.service

has the following related setting causes issues:

# Private /tmp that isn't shared by other processes
PrivateTmp=true

When changed to false freeradius starts seeing that tmp folder.
It is expected behavior.

Now, to solve the issue for anyone who will try to enable tmp folder on Ubuntu systems I propose the following solution

a) change /etc/init.d/freeradius script as follows

# /var/run may be a tmpfs
if [ ! -d /var/run/freeradius ]; then
    mkdir -p /var/run/freeradius
    chown freerad:freerad /var/run/freeradius
to be added >    mkdir -p /var/run/freeradius/tmp
to be added >   chown freerad:freerad /var/run/freeradius/tmp
fi

b) change description and location of the tmp folder in the following conf files
/etc/freeradius.old/3.0/mods-available/eap
/etc/freeradius.old/3.0/sites-available/tls
to highlight that /var/run/freeradius/tmp should be used

Log output from the FreeRADIUS daemon

not applicable. Check description of the issue as freeradius -X doesn't show any issue due issue with start script.

Relevant log output from client utilities

not applicable. Check description of the issue that contains output from /var/log/syslog

Backtrace from LLDB or GDB

No response

[jpereira]

@megothub which version are you using?

[megothub]

FreeRADIUS Version 3.0.26 from Ubuntu repos
tried to build manually 3.2.3 release - same result

[megothub]

actually, changing /etc/init.d/freeradius is not enough. Checking systemd script. /var/run/freeradius/tmp folder was not created while starting freeradius

[megothub]

that's the article I've used to configure EAP
https://wiki.mikrotik.com/wiki/Manual:Wireless_EAP-TLS_using_RouterOS_with_FreeRADIUS

I've found another issue linked to mine
#3119
but there was no answer and it was closed by the topic starter

[ndptech]

Creating a directory in /var/run/freeradius is best done with a systemd override. Try creating /etc/systemd/system/freeradius.service.d/override.conf containing

[Service]
User=freerad
Group=freerad
RuntimeDirectory=freeradius freeradius/tmp
RuntimeDirectoryPreserve=yes

The last option will leave the directory available when the FreeRADIUS service is stopped - without that systemd tidies up runtime directories.