--- freeradius-2.1.10+dfsg.orig/debian/freeradius.postinst +++ freeradius-2.1.10+dfsg/debian/freeradius.postinst @@ -2,9 +2,84 @@ set -e +update_fs_from_statoverride() { + # I wish a simple dpkg-statoverride --update $file just did + # the right thing, but it doesn't, so we have to do it manually. + type=$1 + user=$2 + group=$3 + mode=$4 + file=$5 + if [ -n "$type" -a -n "$group" -a -n "$mode" -a -n "$file" ]; then + if [ "$(find $file -maxdepth 0 -type $type -group $group -perm $mode)" = "" -a -$type $file ]; then + chgrp $group $file + chmod $mode $file + fi + fi +} + +handle_config_files() { + runmode=$1 + + for file in /etc/freeradius/preproxy_users \ + /etc/freeradius/policy.conf \ + /etc/freeradius/eap.conf \ + /etc/freeradius/experimental.conf \ + /etc/freeradius/huntgroups \ + /etc/freeradius/proxy.conf \ + /etc/freeradius/attrs.pre-proxy \ + /etc/freeradius/hints \ + /etc/freeradius/sql.conf \ + /etc/freeradius/ldap.attrmap \ + /etc/freeradius/attrs \ + /etc/freeradius/policy.txt \ + /etc/freeradius/attrs.accounting_response \ + /etc/freeradius/attrs.access_reject \ + /etc/freeradius/attrs.access_challenge \ + /etc/freeradius/clients.conf \ + /etc/freeradius/acct_users + do + set +e + so=$(dpkg-statoverride --list $file) + ret=$? + set -e + case "$runmode" in + initial) + if [ $ret != 0 ]; then + dpkg-statoverride --add --update root freerad 0640 $file + fi + ;; + upgrade) + update_fs_from_statoverride f $so + ;; + esac + done + + for dir in /etc/freeradius/certs \ + /etc/freeradius/sites-available \ + /etc/freeradius/sites-enabled + do + set +e + so=$(dpkg-statoverride --list $dir) + ret=$? + set -e + case "$runmode" in + initial) + if [ $ret != 0 ]; then + dpkg-statoverride --add --update freerad freerad 2751 $dir + fi + ;; + upgrade) + update_fs_from_statoverride d $so + ;; + esac + done +} + case "$1" in configure) if [ -z "$2" ]; then + # Changed in 1.1.5-1 for new installs (we used to start at S50 # and stop at K50) We now start at S50 and stop at K19 so we # start after services which may be used and stop before them. @@ -12,11 +87,11 @@ # Set up initial permissions on all the freeradius directories - if ! dpkg-statoverride --list | grep -q /var/run/freeradius$; then + if ! dpkg-statoverride --list /var/run/freeradius >/dev/null; then dpkg-statoverride --add --update freerad freerad 0755 /var/run/freeradius fi - if ! dpkg-statoverride --list | grep -q /var/log/freeradius$; then + if ! dpkg-statoverride --list /var/log/freeradius >/dev/null; then dpkg-statoverride --add --update freerad freerad 0750 /var/log/freeradius fi @@ -24,41 +99,15 @@ [ ! -f "/var/log/freeradius/${file}" ] && install -o freerad -g freerad -m 644 /dev/null /var/log/freeradius/${file} done - for file in /etc/freeradius/preproxy_users \ - /etc/freeradius/policy.conf \ - /etc/freeradius/eap.conf \ - /etc/freeradius/experimental.conf \ - /etc/freeradius/huntgroups \ - /etc/freeradius/proxy.conf \ - /etc/freeradius/attrs.pre-proxy \ - /etc/freeradius/hints \ - /etc/freeradius/sql.conf \ - /etc/freeradius/ldap.attrmap \ - /etc/freeradius/attrs \ - /etc/freeradius/policy.txt \ - /etc/freeradius/attrs.accounting_response \ - /etc/freeradius/attrs.access_reject \ - /etc/freeradius/attrs.access_challenge \ - /etc/freeradius/clients.conf \ - /etc/freeradius/acct_users - do - if ! dpkg-statoverride --list | grep -qw $file$; then - dpkg-statoverride --add --update root freerad 0640 $file - fi - done - - for dir in /etc/freeradius/certs/ \ - /etc/freeradius/sites-available/ \ - /etc/freeradius/sites-enabled/ - do - if ! dpkg-statoverride --list | grep -qw $dir$; then - dpkg-statoverride --add --update freerad freerad 2751 $dir - fi - done + handle_config_files initial action="start" + else + + handle_config_files upgrade action="restart" + fi # Create links for default sites, but only if this is an initial @@ -93,8 +142,11 @@ serverpem=wasnotthere ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/freeradius/certs/server.pem fi - if egrep -q '^[ ]*private_key_file = \${certdir}/server.pem' /etc/freeradius/eap.conf && \ - [ "$serverpem" = "wasnotthere" ] + if ( egrep -q '^[ ]*private_key_file = \${certdir}/server.pem' /etc/freeradius/eap.conf && \ + [ "$serverpem" = "wasnotthere" ] ) \ + || \ + ( egrep -q '^[ ]*private_key_file = \${certdir}/server.key' /etc/freeradius/eap.conf && \ + test ! -f /etc/freeradius/certs/server.key ) then ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/freeradius/certs/server.key sed -i -e 's,^\([ ]*private_key_file = \${certdir}\)/server.pem$,\1/server.key,' /etc/freeradius/eap.conf @@ -106,12 +158,12 @@ if egrep -q '^[ ]*CA_file = \${cadir}/ca.pem' /etc/freeradius/eap.conf && \ test ! -f /etc/freeradius/certs/ca.pem then - ln -s /etc/ssl/certs/ca.pem /etc/freeradius/certs/ca.pem + ln -s /etc/ssl/certs/ca-certificates.crt /etc/freeradius/certs/ca.pem fi if egrep -q '^[ ]*random_file = \${certdir}/random' /etc/freeradius/eap.conf && \ test ! -f /etc/freeradius/certs/random then - ln -s /dev/urandom /etc/freeradius/certs/random + sed -i -e 's,^\([ ]*random_file = \)\${certdir}/random$,\1/dev/urandom,' /etc/freeradius/eap.conf fi if egrep -q '^[ ]*dh_file = \${certdir}/dh' /etc/freeradius/eap.conf && \ test ! -f /etc/freeradius/certs/dh --- freeradius-2.1.10+dfsg.orig/debian/freeradius-postgresql.postinst +++ freeradius-2.1.10+dfsg/debian/freeradius-postgresql.postinst @@ -2,6 +2,22 @@ set -e +update_fs_from_statoverride() { + # I wish a simple dpkg-statoverride --update $file just did + # the right thing, but it doesn't, so we have to do it manually. + type=$1 + user=$2 + group=$3 + mode=$4 + file=$5 + if [ -n "$type" -a -n "$group" -a -n "$mode" -a -n "$file" ]; then + if [ "$(find $file -maxdepth 0 -type $type -group $group -perm $mode)" = "" -a -$type $file ]; then + chgrp $group $file + chmod $mode $file + fi + fi +} + case "$1" in configure) for file in /etc/freeradius/sql/postgresql/cisco_h323_db_schema.sql \ @@ -14,16 +30,32 @@ /etc/freeradius/sql/postgresql/update_radacct_group_trigger.sql \ /etc/freeradius/sql/postgresql/voip-postpaid.conf do - if ! dpkg-statoverride --list | grep -qw $file$; then - dpkg-statoverride --add --update root freerad 0640 $file + set +e + so=$(dpkg-statoverride --list $file) + ret=$? + set -e + if [ -z "$2" ]; then + if [ $ret != 0 ]; then + dpkg-statoverride --add --update root freerad 0640 $file + fi + else + update_fs_from_statoverride f $so fi done for dir in /etc/freeradius/sql \ /etc/freeradius/sql/postgresql do - if ! dpkg-statoverride --list | grep -qw $dir$; then - dpkg-statoverride --add --update root freerad 2751 $dir + set +e + so=$(dpkg-statoverride --list $dir) + ret=$? + set -e + if [ -z "$2" ]; then + if [ $ret != 0 ]; then + dpkg-statoverride --add --update root freerad 2751 $dir + fi + else + update_fs_from_statoverride d $so fi done @@ -38,6 +70,3 @@ #DEBHELPER# exit 0 - - - --- freeradius-2.1.10+dfsg.orig/debian/freeradius.default +++ freeradius-2.1.10+dfsg/debian/freeradius.default @@ -0,0 +1,2 @@ +# Options for the FreeRADIUS daemon. +FREERADIUS_OPTIONS="" --- freeradius-2.1.10+dfsg.orig/debian/control +++ freeradius-2.1.10+dfsg/debian/control @@ -3,8 +3,8 @@ quilt, dpkg-dev (>= 1.13.19), autotools-dev, - libtool, - libltdl3-dev, + libtool (>= 2.2), + libltdl-dev (>= 2.2), libssl-dev, libpam0g-dev, libmysqlclient-dev, @@ -17,18 +17,18 @@ libpcap-dev, python-dev, libsnmp-dev, - libpq-dev, - libssl-dev + libpq-dev Section: net Priority: optional -Maintainer: Josip Rodin +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Josip Rodin Uploaders: Stephen Gran , Mark Hymers -Standards-Version: 3.8.3 +Standards-Version: 3.8.4 Homepage: http://www.freeradius.org/ Package: freeradius Architecture: any -Depends: lsb-base (>= 3.1-23.2), ${shlibs:Depends}, freeradius-common, libfreeradius2 (= ${binary:Version}), ssl-cert, adduser +Depends: lsb-base (>= 3.1-23.2), ${shlibs:Depends}, ${misc:Depends}, freeradius-common, libfreeradius2 (= ${binary:Version}), ssl-cert, ca-certificates, adduser Provides: radius-server Recommends: freeradius-utils Suggests: freeradius-ldap, freeradius-postgresql, freeradius-mysql, freeradius-krb5 @@ -42,7 +42,7 @@ and lots more. Package: freeradius-common -Depends: adduser +Depends: ${misc:Depends}, adduser Architecture: all Conflicts: radiusd-livingston, xtradius, yardradius Replaces: freeradius (<< 2.0) @@ -54,7 +54,7 @@ Architecture: any Replaces: freeradius (<< 2.0) Conflicts: radiusd-livingston, yardradius -Depends: ${shlibs:Depends}, freeradius-common, libfreeradius2 (= ${binary:Version}) +Depends: ${shlibs:Depends}, ${misc:Depends}, freeradius-common, libfreeradius2 (= ${binary:Version}) Recommends: libdbi-perl Description: FreeRADIUS client utilities This package contains various client programs and utilities from @@ -74,7 +74,7 @@ Package: libfreeradius2 Architecture: any -Depends: ${shlibs:Depends} +Depends: ${shlibs:Depends}, ${misc:Depends} Description: FreeRADIUS shared library The FreeRADIUS projects' libfreeradius-radius and libfreeradius-eap, used by the FreeRADIUS server and some of the utilities. @@ -82,7 +82,7 @@ Package: libfreeradius-dev Architecture: any Section: libdevel -Depends: ${shlibs:Depends}, libfreeradius2 (= ${binary:Version}) +Depends: ${shlibs:Depends}, ${misc:Depends}, libfreeradius2 (= ${binary:Version}) Description: FreeRADIUS shared library development files The FreeRADIUS projects' libfreeradius-radius and libfreeradius-eap, used by the FreeRADIUS server and some of the utilities. @@ -91,42 +91,42 @@ Package: freeradius-krb5 Architecture: any -Depends: freeradius (= ${binary:Version}), ${shlibs:Depends} +Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} Description: kerberos module for FreeRADIUS server The FreeRADIUS server can use Kerberos to authenticate users, and this module is necessary for that. Package: freeradius-ldap Architecture: any -Depends: freeradius (= ${binary:Version}), ${shlibs:Depends} +Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} Description: LDAP module for FreeRADIUS server The FreeRADIUS server can use LDAP to authenticate users, and this module is necessary for that. Package: freeradius-postgresql Architecture: any -Depends: freeradius (= ${binary:Version}), ${shlibs:Depends} +Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} Description: PostgreSQL module for FreeRADIUS server The FreeRADIUS server can use PostgreSQL to authenticate users and do accounting, and this module is necessary for that. Package: freeradius-mysql Architecture: any -Depends: freeradius (= ${binary:Version}), ${shlibs:Depends} +Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} Description: MySQL module for FreeRADIUS server The FreeRADIUS server can use MySQL to authenticate users and do accounting, and this module is necessary for that. Package: freeradius-iodbc Architecture: any -Depends: freeradius (= ${binary:Version}), ${shlibs:Depends} +Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} Description: iODBC module for FreeRADIUS server The FreeRADIUS server can use iODBC to access databases to authenticate users and do accounting, and this module is necessary for that. Package: freeradius-dialupadmin Architecture: all -Depends: php5 | libapache2-mod-php5 | php5-cgi, apache2-mpm-prefork | httpd, ${perl:Depends} +Depends: php5 | libapache2-mod-php5 | php5-cgi, apache2-mpm-prefork | httpd, ${perl:Depends}, ${misc:Depends} Suggests: php5-mysql | php5-pgsql, php5-ldap, libdate-manip-perl Description: set of PHP scripts for administering a FreeRADIUS server These scripts provide a web-based interface for administering a FreeRADIUS --- freeradius-2.1.10+dfsg.orig/debian/freeradius-mysql.prerm +++ freeradius-2.1.10+dfsg/debian/freeradius-mysql.prerm @@ -11,7 +11,7 @@ /etc/freeradius/sql/mysql/nas.sql \ /etc/freeradius/sql/mysql/schema.sql do - if dpkg-statoverride --list | grep -qw $file$; then + if dpkg-statoverride --list $file >/dev/null; then dpkg-statoverride --remove $file fi done @@ -19,7 +19,7 @@ for dir in /etc/freeradius/sql \ /etc/freeradius/sql/mysql do - if dpkg-statoverride --list | grep -qw $dir$; then + if dpkg-statoverride --list $dir >/dev/null; then dpkg-statoverride --remove $dir fi done --- freeradius-2.1.10+dfsg.orig/debian/changelog +++ freeradius-2.1.10+dfsg/debian/changelog @@ -1,6 +1,144 @@ -freeradius (2.1.10+git) unstable; urgency=medium +freeradius (2.1.10+dfsg-3ubuntu0.12.04.2) precise-security; urgency=medium - -- Alan DeKok Sat, 02 Jan 2010 20:22:47 +0100 + * SECURITY UPDATE: incorrect password expiration check + - debian/patches/CVE-2011-4966.patch: check for both account and + password expiration in src/modules/rlm_unix/rlm_unix.c. + - CVE-2011-4966 + * SECURITY UPDATE: denial of service and possible code execution via + buffer overflow in rlm_pap module + - debian/patches/CVE-2013-2015.patch: properly handle buffer size in + src/modules/rlm_pap/rlm_pap.c. + - CVE-2014-2015 + + -- Marc Deslauriers Mon, 24 Feb 2014 09:19:58 -0500 + +freeradius (2.1.10+dfsg-3ubuntu0.12.04.1) precise-security; urgency=low + + * SECURITY UPDATE: denial of service and possible code execution via + crafted client certificates + - debian/patches/CVE-2012-3547.diff: use correct size in + src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c. + - CVE-2012-3547 + + -- Marc Deslauriers Mon, 24 Sep 2012 12:46:41 -0400 + +freeradius (2.1.10+dfsg-3build2) precise; urgency=low + + * Rebuild for libmysqlclient transition + + -- Clint Byrum Wed, 23 Nov 2011 23:30:18 -0800 + +freeradius (2.1.10+dfsg-3build1) precise; urgency=low + + * Rebuild for Perl 5.14. + + -- Colin Watson Wed, 16 Nov 2011 01:24:03 +0000 + +freeradius (2.1.10+dfsg-3) unstable; urgency=low + + * Fixed the silly error that rendered previous attempts to use the + right libtool functions useless, hopefully finally closes: #416266. + * Link radeapclient with libradius to fix linking with binutils-gold, + closes: #553387. + * Fix the debug mode crashing when home server doesn't respond to + a proxied request. Dmitry Borodaenko cherry-picked upstream commits + 540a0515de93d99ef45f97b9114185f159587b51 and + ab972f1f9b724fc0b71e6ca726078c92ad26bc6b, thanks, closes: #609870. + * Fixed udpfromto IPv6 breakage because of broken offsetof tests, + backported upstream b4f0c7ed4dc9811d8dfa982540ed8cb721cc854a + (one minor change necessary) as well as + 655f0786d60fe02440763df69b1aaf5110706690, as well as the simple + IPV6_RECVPKTINFO change, hopefully it activates all the right + modern IPv6 functions and closes: #606866. + + -- Josip Rodin Thu, 05 May 2011 23:50:20 +0200 + +freeradius (2.1.10+dfsg-2) unstable; urgency=medium + + * The zombie period start time variable mistakenly got set to a random + value because of an upstream typo. Cherry-picked upstream commit + 7b7dff7724721f8af5fd163f2292d427a869992d into a Debian patch, + requested for squeeze in #600465. + * Since 2.1.9, the daemon stopped reopening the default radius.log file + constantly, which means the default logrotate setup breaks the default + logging. D'oh. We now have to send SIGHUP to the daemon as a postrotate + action, which makes it reopen log files and continue normally. + * Added delaycompress to the logrotate options, just to be on the safe + side. + * Added a reload action into the init script accordingly, so that the + right pidfile is picked up (one that can be overridden by the admin + in /etc/default/freeradius, available since the last release). + * Called reload from the postrotate section, closes: #602815. + * However, the latter signal also makes the server re-read configuration + files, but unlike the initial server start, this all happens under + the unprivileged user. That in turn means that if by any chance there + is any part of FR configuration that happens not to be readable by + group freerad (or whatever non-default is configured), the reload + will fail, effectively silently, as the log has been moved away. Gah. + So we have to make an effort to ensure that the configuration files + are still readable by that user, otherwise the reload fails and the + aforementioned bug is not fixed. The files seem to revert to + root:root upon conffile actions, at least that's what happened to me + and I think that was the cause. So, on upgrade, try to re-apply the + dpkg-statoverrides on our /etc/freeradius/* stuff, whatever they are, + under the assumption they will let the freerad group read config files + as is the initial setup. (I wish dpkg-statoverride --update $file + just did the right thing, but it doesn't, so there's a new local + function that does that.) + * While doing the latter, noticed that we were checking for directories + in dpkg-statoverride --list output with trailing slashes, but they + get output without it, so it was a no-op. Fixed the check by removing + the trailing slashes. Also then noticed that we were grepping --list + output, but it takes an optional glob pattern, so saved us that + pointless grep fork by using that facility, just as described in the + policy manual. + * force-reload switches from restart to reload, per policy 9.3.2. + * lenny backport needed also libltdl-dev (2.2.x) to build properly, rather + than libltdl3-dev, which is obsolete and doesn't make sense anyway. + + -- Josip Rodin Sat, 13 Nov 2010 15:21:30 +0100 + +freeradius (2.1.10+dfsg-1) unstable; urgency=medium + + * New upstream version, closes a bunch of reproducible SNAFUs, + including two tagged as security issues, CVE-2010-3696, CVE-2010-3697, + closes: #600176. + * Build-depend on newer Libtool because of lt_dladvise_init(), also + upstream now has a configure check so we no longer need a patch, + yet we still don't want the old behaviour. Noticed by John Morrissey, + closes: #584151. + * Added the /etc/default/freeradius file as suggested by + Rudy Gevaert and Matthew Newton, closes: #564716. + * Stop symlinking /dev/urandom into /etc/freeradius/certs/random, + it breaks grep -r in /etc. Instead, replace it inside eap.conf, + both in the new shipped conffile and in postinst. + + -- Josip Rodin Thu, 14 Oct 2010 21:51:51 +0200 + +freeradius (2.1.9+dfsg-1) unstable; urgency=low + + * New upstream version. + + radclient (radtest) should now use IPv4 by default, closes: #569614. + * Depend on ca-certificates explicitly, closes: #569601. + * I mistook ca.pem for the locally selected acceptable CA, whereas that + actually just happens to mean DebConf.org CA, and we want the former + by default. That in turn is in /etc/ssl/certs/ca-certificates.crt. + Obviously later the users can trivially change this, but this looks + like a reasonably reliable default that doesn't involve a lot of magic + that can delay or break postinst invocations. In the future, eap.conf + will become modules/eap and this will not be so critical. + * The private_key_file = ${certdir}/server.pem default doesn't get along + with snakeoil, or common sense really (why would you keep a secret key + in the same file as the non-secret certificate?), and could have broken + upgrades if people accepted the conffile prompt, so adjusted the + default conffile too, and adjusted the postinst upgrade logic as well. + * Enable HAVE_LT_DLADVISE_INIT as it fixes the module symbol lookup + errors from additional libraries, closes: #416266. + * Explicate source format as 1.0. + * Add ${misc:Depends} to all binary packages. + * Update standards version to 3.8.4, no changes necessary. + + -- Josip Rodin Sun, 30 May 2010 12:48:55 +0200 freeradius (2.1.8+dfsg-1) unstable; urgency=medium --- freeradius-2.1.10+dfsg.orig/debian/freeradius-common.postinst +++ freeradius-2.1.10+dfsg/debian/freeradius-common.postinst @@ -2,6 +2,73 @@ set -e +update_fs_from_statoverride() { + # I wish a simple dpkg-statoverride --update $file just did + # the right thing, but it doesn't, so we have to do it manually. + type=$1 + user=$2 + group=$3 + mode=$4 + file=$5 + if [ -n "$type" -a -n "$group" -a -n "$mode" -a -n "$file" ]; then + if [ "$(find $file -maxdepth 0 -type $type -group $group -perm $mode)" = "" -a -$type $file ]; then + chgrp $group $file + chmod $mode $file + fi + fi +} + +handle_config_files() { + runmode=$1 + + set +e + so=$(dpkg-statoverride --list /etc/freeradius) + ret=$? + set -e + case "$runmode" in + initial) + if [ $ret != 0 ]; then + dpkg-statoverride --add --update freerad freerad 2751 /etc/freeradius + fi + ;; + upgrade) + update_fs_from_statoverride d $so + ;; + esac + + set +e + so=$(dpkg-statoverride --list /etc/freeradius/radiusd.conf) + ret=$? + set -e + case "$runmode" in + initial) + if [ $ret != 0 ]; then + dpkg-statoverride --add --update root freerad 0640 /etc/freeradius/radiusd.conf + fi + ;; + upgrade) + update_fs_from_statoverride f $so + ;; + esac + + # Relax permissions on local dictionary - allows radclient to run and should + # not contain secrets. At any rate, only do it on fresh install + set +e + so=$(dpkg-statoverride --list /etc/freeradius/dictionary) + ret=$? + set -e + case "$runmode" in + initial) + if [ $ret != 0 ]; then + dpkg-statoverride --add --update root freerad 0644 /etc/freeradius/dictionary + fi + ;; + upgrade) + update_fs_from_statoverride f $so + ;; + esac +} + case "$1" in configure) if [ -z "$2" ]; then @@ -13,20 +80,10 @@ # group if authenticating by another mechanism adduser --quiet freerad shadow - if ! dpkg-statoverride --list | grep -qw /etc/freeradius$; then - dpkg-statoverride --add --update freerad freerad 2751 /etc/freeradius - fi - - if ! dpkg-statoverride --list | grep -qw /etc/freeradius/radiusd.conf$; then - dpkg-statoverride --add --update root freerad 0640 /etc/freeradius/radiusd.conf - fi - - # Relax permissions on local dictionary - allows radclient to run and should - # not contain secrets. At any rate, only do it on fresh install - if ! dpkg-statoverride --list | grep -qw /etc/freeradius/dictionary$; then - dpkg-statoverride --add --update root freerad 0644 /etc/freeradius/dictionary - fi + handle_config_files initial + else + handle_config_files upgrade fi ;; esac --- freeradius-2.1.10+dfsg.orig/debian/freeradius-mysql.postinst +++ freeradius-2.1.10+dfsg/debian/freeradius-mysql.postinst @@ -2,6 +2,22 @@ set -e +update_fs_from_statoverride() { + # I wish a simple dpkg-statoverride --update $file just did + # the right thing, but it doesn't, so we have to do it manually. + type=$1 + user=$2 + group=$3 + mode=$4 + file=$5 + if [ -n "$type" -a -n "$group" -a -n "$mode" -a -n "$file" ]; then + if [ "$(find $file -maxdepth 0 -type $type -group $group -perm $mode)" = "" -a -$type $file ]; then + chgrp $group $file + chmod $mode $file + fi + fi +} + case "$1" in configure) for file in /etc/freeradius/sql/mysql/counter.conf \ @@ -11,16 +27,32 @@ /etc/freeradius/sql/mysql/nas.sql \ /etc/freeradius/sql/mysql/schema.sql do - if ! dpkg-statoverride --list | grep -qw $file$; then - dpkg-statoverride --add --update root freerad 0640 $file + set +e + so=$(dpkg-statoverride --list $file) + ret=$? + set -e + if [ -z "$2" ]; then + if [ $ret != 0 ]; then + dpkg-statoverride --add --update root freerad 0640 $file + fi + else + update_fs_from_statoverride f $so fi done for dir in /etc/freeradius/sql \ /etc/freeradius/sql/mysql do - if ! dpkg-statoverride --list | grep -qw $dir$; then - dpkg-statoverride --add --update root freerad 2751 $dir + set +e + so=$(dpkg-statoverride --list $dir) + ret=$? + set -e + if [ -z "$2" ]; then + if [ $ret != 0 ]; then + dpkg-statoverride --add --update root freerad 2751 $dir + fi + else + update_fs_from_statoverride d $so fi done @@ -35,5 +67,3 @@ #DEBHELPER# exit 0 - - --- freeradius-2.1.10+dfsg.orig/debian/freeradius-common.prerm +++ freeradius-2.1.10+dfsg/debian/freeradius-common.prerm @@ -5,12 +5,12 @@ case "$1" in remove) for file in /etc/freeradius/radiusd.conf /etc/freeradius/dictionary; do - if dpkg-statoverride --list | grep -qw $file$; then + if dpkg-statoverride --list $file >/dev/null; then dpkg-statoverride --remove $file fi done - if dpkg-statoverride --list | grep -qw /etc/freeradius$; then + if dpkg-statoverride --list /etc/freeradius >/dev/null; then dpkg-statoverride --remove /etc/freeradius fi ;; --- freeradius-2.1.10+dfsg.orig/debian/freeradius.preinst +++ freeradius-2.1.10+dfsg/debian/freeradius.preinst @@ -76,7 +76,7 @@ rm_conffile "$file" # must get rid of the overrides otherwise they corrupt the database - if dpkg-statoverride --list | grep -qw $file$; then + if dpkg-statoverride --list $file >/dev/null; then dpkg-statoverride --remove $file fi --- freeradius-2.1.10+dfsg.orig/debian/freeradius-postgresql.prerm +++ freeradius-2.1.10+dfsg/debian/freeradius-postgresql.prerm @@ -14,7 +14,7 @@ /etc/freeradius/sql/postgresql/update_radacct_group_trigger.sql \ /etc/freeradius/sql/postgresql/voip-postpaid.conf do - if dpkg-statoverride --list | grep -qw $file$; then + if dpkg-statoverride --list $file >/dev/null; then dpkg-statoverride --remove $file fi done @@ -22,7 +22,7 @@ for dir in /etc/freeradius/sql \ /etc/freeradius/sql/postgresql do - if dpkg-statoverride --list | grep -qw $dir$; then + if dpkg-statoverride --list $dir >/dev/null; then dpkg-statoverride --remove $dir fi done --- freeradius-2.1.10+dfsg.orig/debian/freeradius.logrotate +++ freeradius-2.1.10+dfsg/debian/freeradius.logrotate @@ -2,6 +2,10 @@ weekly rotate 52 compress + delaycompress notifempty + missingok + postrotate + /etc/init.d/freeradius reload > /dev/null + endscript } - --- freeradius-2.1.10+dfsg.orig/debian/freeradius.prerm +++ freeradius-2.1.10+dfsg/debian/freeradius.prerm @@ -28,7 +28,7 @@ /etc/freeradius/clients.conf \ /etc/freeradius/acct_users do - if dpkg-statoverride --list | grep -qw $file$; then + if dpkg-statoverride --list $file >/dev/null; then dpkg-statoverride --remove $file fi done @@ -39,7 +39,7 @@ /var/run/freeradius \ /var/log/freeradius do - if dpkg-statoverride --list | grep -qw $dir$; then + if dpkg-statoverride --list $dir >/dev/null; then dpkg-statoverride --remove $dir fi done --- freeradius-2.1.10+dfsg.orig/debian/freeradius.init +++ freeradius-2.1.10+dfsg/debian/freeradius.init @@ -21,6 +21,10 @@ PIDFILE="/var/run/freeradius/freeradius.pid" DESCR="FreeRADIUS daemon" +if [ -r /etc/default/$PROG ]; then + . /etc/default/$PROG +fi + test -f $PROGRAM || exit 0 # /var/run may be a tmpfs @@ -36,7 +40,7 @@ case "$1" in start) log_daemon_msg "Starting $DESCR" "$PROG" - start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $PROGRAM || ret=$? + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $PROGRAM -- $FREERADIUS_OPTIONS || ret=$? log_end_msg $ret exit $ret ;; @@ -44,18 +48,28 @@ log_daemon_msg "Stopping $DESCR" "$PROG" if [ -f "$PIDFILE" ] ; then start-stop-daemon --stop --retry=TERM/30/KILL/5 --quiet --pidfile $PIDFILE || ret=$? - log_end_msg $ret else log_action_cont_msg "$PIDFILE not found" - log_end_msg 0 + ret=0 fi + log_end_msg $ret ;; - restart|force-reload) + restart) $0 stop $0 start ;; + reload|force-reload) + log_daemon_msg "Reloading $DESCR" "$PROG" + if [ -f "$PIDFILE" ] ; then + start-stop-daemon --stop --signal HUP --quiet --pidfile $PIDFILE || ret=$? + else + log_action_cont_msg "$PIDFILE not found" + ret=0 + fi + log_end_msg $ret + ;; *) - echo "Usage: $0 start|stop|restart|force-reload" + echo "Usage: $0 start|stop|restart|force-reload|reload" exit 1 ;; esac --- freeradius-2.1.10+dfsg.orig/debian/source/format +++ freeradius-2.1.10+dfsg/debian/source/format @@ -0,0 +1 @@ +1.0 --- freeradius-2.1.10+dfsg.orig/debian/patches/gnu_source_for_offsetof.diff +++ freeradius-2.1.10+dfsg/debian/patches/gnu_source_for_offsetof.diff @@ -0,0 +1,58 @@ +diff --git a/configure b/configure +index 73e8732..1d31689 100755 +--- a/configure ++++ b/configure +@@ -3824,6 +3824,10 @@ else + fi + + ++if test "x$GCC" = "xyes"; then ++ CFLAGS="$CFLAGS -Wall -D_GNU_SOURCE" ++fi ++ + # Check whether --enable-largefile was given. + if test "${enable_largefile+set}" = set; then + enableval=$enable_largefile; +@@ -25114,10 +25118,6 @@ else + fi + + +-if test "x$GCC" = "xyes"; then +- CFLAGS="$CFLAGS -Wall -D_GNU_SOURCE" +-fi +- + { echo "$as_me:$LINENO: checking for developer gcc flags" >&5 + echo $ECHO_N "checking for developer gcc flags... $ECHO_C" >&6; } + if test "x$developer" = "xyes" -a "x$GCC" = "xyes"; then +diff --git a/configure.in b/configure.in +index a12eb9f..d1d8e30 100644 +--- a/configure.in ++++ b/configure.in +@@ -52,6 +52,13 @@ AC_PROG_GCC_TRADITIONAL + AC_PROG_CC_SUNPRO + AC_PROG_RANLIB + ++dnl # ++dnl # Set Default CFLAGS ++dnl # ++if test "x$GCC" = "xyes"; then ++ CFLAGS="$CFLAGS -Wall -D_GNU_SOURCE" ++fi ++ + dnl Compile in large (2G+) file support. + AC_SYS_LARGEFILE + +@@ -919,13 +926,6 @@ else + fi + AC_SUBST(LIBPREFIX) + +-dnl # +-dnl # Set Default CFLAGS +-dnl # +-if test "x$GCC" = "xyes"; then +- CFLAGS="$CFLAGS -Wall -D_GNU_SOURCE" +-fi +- + AC_MSG_CHECKING(for developer gcc flags) + if test "x$developer" = "xyes" -a "x$GCC" = "xyes"; then + devflags="-g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef" --- freeradius-2.1.10+dfsg.orig/debian/patches/offsetof.diff +++ freeradius-2.1.10+dfsg/debian/patches/offsetof.diff @@ -0,0 +1,135 @@ +diff --git a/acinclude.m4 b/acinclude.m4 +index 1dd8ad1..2730606 100644 +--- a/acinclude.m4 ++++ b/acinclude.m4 +@@ -349,6 +349,9 @@ dnl + + AC_TRY_COMPILE([ + $1 ++#ifdef HAVE_STDDEF_H ++#include ++#endif + #ifndef offsetof + #define offsetof(TYPE, MEMBER) ((int) &((TYPE *)0)->MEMBER) + #endif +diff --git a/configure b/configure +index cd0356c..73e8732 100755 +--- a/configure ++++ b/configure +@@ -20091,9 +20091,7 @@ echo "${ECHO_T}no" >&6; } + fi + + +-else + +- LIBTOOL="`pwd`/libtool" + + + +@@ -20103,6 +20101,10 @@ else + + + ++else ++ ++ LIBTOOL="`pwd`/libtool" ++ + + + +@@ -22726,6 +22728,8 @@ fi + + + ++ ++ + for ac_header in \ + unistd.h \ + crypt.h \ +@@ -22760,6 +22764,7 @@ for ac_header in \ + prot.h \ + pwd.h \ + grp.h \ ++ stddef.h \ + sia.h \ + siad.h + +@@ -23163,6 +23168,7 @@ echo "$as_me: skipping test for openssl/ssl.h" >&6;} + + + ++ + for ac_header in \ + openssl/ssl.h \ + openssl/crypto.h \ +@@ -24775,6 +24781,9 @@ cat >>conftest.$ac_ext <<_ACEOF + /* end confdefs.h. */ + + #include ++#ifdef HAVE_STDDEF_H ++#include ++#endif + #ifndef offsetof + #define offsetof(TYPE, MEMBER) ((int) &((TYPE *)0)->MEMBER) + #endif +@@ -24848,6 +24857,9 @@ cat >>conftest.$ac_ext <<_ACEOF + /* end confdefs.h. */ + + #include ++#ifdef HAVE_STDDEF_H ++#include ++#endif + #ifndef offsetof + #define offsetof(TYPE, MEMBER) ((int) &((TYPE *)0)->MEMBER) + #endif +@@ -24920,6 +24932,9 @@ cat >>conftest.$ac_ext <<_ACEOF + /* end confdefs.h. */ + + #include ++#ifdef HAVE_STDDEF_H ++#include ++#endif + #ifndef offsetof + #define offsetof(TYPE, MEMBER) ((int) &((TYPE *)0)->MEMBER) + #endif +diff --git a/configure.in b/configure.in +index 24476fb..a12eb9f 100644 +--- a/configure.in ++++ b/configure.in +@@ -619,6 +619,7 @@ AC_CHECK_HEADERS( \ + prot.h \ + pwd.h \ + grp.h \ ++ stddef.h \ + sia.h \ + siad.h + ) +diff --git a/src/include/autoconf.h.in b/src/include/autoconf.h.in +index 9b5d1b8..3493254 100644 +--- a/src/include/autoconf.h.in ++++ b/src/include/autoconf.h.in +@@ -257,6 +257,9 @@ + /* Define to 1 if you have the `snprintf' function. */ + #undef HAVE_SNPRINTF + ++/* Define to 1 if you have the header file. */ ++#undef HAVE_STDDEF_H ++ + /* Define to 1 if you have the header file. */ + #undef HAVE_STDINT_H + +diff --git a/src/include/missing.h b/src/include/missing.h +index 7c7b37f..679d7f2 100644 +--- a/src/include/missing.h ++++ b/src/include/missing.h +@@ -18,6 +18,10 @@ RCSIDH(missing_h, "$Id$") + #include + #endif + ++#ifdef HAVE_STDDEF_H ++#include ++#endif ++ + #ifdef HAVE_SYS_TYPES_H + #include + #endif --- freeradius-2.1.10+dfsg.orig/debian/patches/series +++ freeradius-2.1.10+dfsg/debian/patches/series @@ -2,3 +2,15 @@ dialupadmin-help.diff gitignore.diff rlm_sql.libs.diff +eap.server.key.diff +eap.random_file.diff +zombie_period_start.diff +have_have_ltdladvise_init.diff +radeapclient.libradius.link.diff +proxy_timeout_running.diff +offsetof.diff +gnu_source_for_offsetof.diff +recvpktinfo.diff +CVE-2012-3547.diff +CVE-2011-4966.patch +CVE-2014-2015.patch --- freeradius-2.1.10+dfsg.orig/debian/patches/eap.server.key.diff +++ freeradius-2.1.10+dfsg/debian/patches/eap.server.key.diff @@ -0,0 +1,11 @@ +--- freeradius-2.1.9+dfsg/raddb/eap.conf~ 2010-05-24 07:40:58.000000000 +0200 ++++ freeradius-2.1.9+dfsg/raddb/eap.conf 2010-05-30 13:41:36.000000000 +0200 +@@ -156,7 +156,7 @@ + cadir = ${confdir}/certs + + private_key_password = whatever +- private_key_file = ${certdir}/server.pem ++ private_key_file = ${certdir}/server.key + + # If Private key & Certificate are located in + # the same file, then private_key_file & --- freeradius-2.1.10+dfsg.orig/debian/patches/radeapclient.libradius.link.diff +++ freeradius-2.1.10+dfsg/debian/patches/radeapclient.libradius.link.diff @@ -0,0 +1,11 @@ +--- freeradius-2.1.10/src/modules/rlm_eap/Makefile.in~ 2010-09-28 13:03:56.000000000 +0200 ++++ freeradius-2.1.10/src/modules/rlm_eap/Makefile.in 2011-05-01 18:27:42.000000000 +0200 +@@ -30,7 +30,7 @@ + $(LT_OBJS): $(HEADERS) + + radeapclient: radeapclient.lo $(CLIENTLIBS) +- $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(RLM_LDFLAGS) -o radeapclient radeapclient.lo $(CLIENTLIBS) $(LIBS) $(OPENSSL_LIBS) ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(RLM_LDFLAGS) -o radeapclient radeapclient.lo $(LIBRADIUS) $(CLIENTLIBS) $(LIBS) $(OPENSSL_LIBS) + + radeapclient.lo: radeapclient.c $(HEADERS) + $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(RLM_CFLAGS) -c radeapclient.c --- freeradius-2.1.10+dfsg.orig/debian/patches/have_have_ltdladvise_init.diff +++ freeradius-2.1.10+dfsg/debian/patches/have_have_ltdladvise_init.diff @@ -0,0 +1,22 @@ +--- freeradius-2.1.10/configure.in~ 2010-09-28 13:03:56.000000000 +0200 ++++ freeradius-2.1.10/configure.in 2011-05-01 18:33:15.000000000 +0200 +@@ -936,7 +936,7 @@ + + old_LIBS="$LIBS" + LIBS="$LIBS $LIBLTDL" +-AC_CHECK_FUNC(lt_dladvise_init, AC_DEFINE(HAVE_HAVE_LT_DLADVISE_INIT, [], [Do we have the lt_dladvise_init function])) ++AC_CHECK_FUNC(lt_dladvise_init, AC_DEFINE(HAVE_LT_DLADVISE_INIT, [], [Do we have the lt_dladvise_init function])) + LIBS="$old_LIBS" + + dnl Check for libcrypt +--- freeradius-2.1.10/configure~ 2010-09-28 13:03:56.000000000 +0200 ++++ freeradius-2.1.10/configure 2011-05-01 18:33:24.000000000 +0200 +@@ -25121,7 +25121,7 @@ + if test $ac_cv_func_lt_dladvise_init = yes; then + + cat >>confdefs.h <<\_ACEOF +-#define HAVE_HAVE_LT_DLADVISE_INIT ++#define HAVE_LT_DLADVISE_INIT + _ACEOF + + fi --- freeradius-2.1.10+dfsg.orig/debian/patches/eap.random_file.diff +++ freeradius-2.1.10+dfsg/debian/patches/eap.random_file.diff @@ -0,0 +1,11 @@ +--- freeradius-2.1.10+dfsg/raddb/eap.conf~ 2010-09-28 13:03:56.000000000 +0200 ++++ freeradius-2.1.10+dfsg/raddb/eap.conf 2010-10-14 22:16:08.000000000 +0200 +@@ -194,7 +194,7 @@ + # openssl dhparam -out certs/dh 1024 + # + dh_file = ${certdir}/dh +- random_file = ${certdir}/random ++ random_file = /dev/urandom + + # + # This can never exceed the size of a RADIUS --- freeradius-2.1.10+dfsg.orig/debian/patches/zombie_period_start.diff +++ freeradius-2.1.10+dfsg/debian/patches/zombie_period_start.diff @@ -0,0 +1,13 @@ +diff --git a/src/main/event.c b/src/main/event.c +index 6ec1de9..fb51708 100644 +--- a/src/main/event.c ++++ b/src/main/event.c +@@ -1122,7 +1122,7 @@ static void no_response_to_proxied_request(void *ctx) + home->state = HOME_STATE_ZOMBIE; + + home->zombie_period_start.tv_sec = home->last_packet; +- home->zombie_period_start.tv_sec = USEC / 2; ++ home->zombie_period_start.tv_usec = USEC / 2; + + fr_event_delete(el, &home->ev); + home->currently_outstanding = 0; --- freeradius-2.1.10+dfsg.orig/debian/patches/CVE-2014-2015.patch +++ freeradius-2.1.10+dfsg/debian/patches/CVE-2014-2015.patch @@ -0,0 +1,32 @@ +From 0d606cfc29ab2e91764854e733d4525e6c667eb9 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" +Date: Thu, 13 Feb 2014 09:29:35 -0500 +Subject: [PATCH] Increase buffer size. Use output buffer size as limit for + hex2bin + +--- + src/modules/rlm_pap/rlm_pap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: freeradius-2.1.12+dfsg/src/modules/rlm_pap/rlm_pap.c +=================================================================== +--- freeradius-2.1.12+dfsg.orig/src/modules/rlm_pap/rlm_pap.c 2014-02-24 09:13:36.279874125 -0500 ++++ freeradius-2.1.12+dfsg/src/modules/rlm_pap/rlm_pap.c 2014-02-24 09:13:36.271874125 -0500 +@@ -244,7 +244,7 @@ + static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length) + { + size_t decoded; +- uint8_t buffer[64]; ++ uint8_t buffer[256]; + + if (min_length >= sizeof(buffer)) return; /* paranoia */ + +@@ -252,7 +252,7 @@ + * Hex encoding. + */ + if (vp->length >= (2 * min_length)) { +- decoded = fr_hex2bin(vp->vp_strvalue, buffer, vp->length >> 1); ++ decoded = fr_hex2bin(vp->vp_strvalue, buffer, sizeof(buffer)); + if (decoded == (vp->length >> 1)) { + RDEBUG2("Normalizing %s from hex encoding", vp->name); + memcpy(vp->vp_octets, buffer, decoded); --- freeradius-2.1.10+dfsg.orig/debian/patches/proxy_timeout_running.diff +++ freeradius-2.1.10+dfsg/debian/patches/proxy_timeout_running.diff @@ -0,0 +1,35 @@ +diff --git a/src/main/event.c b/src/main/event.c +index 78bb220..95008a4 100644 +--- a/src/main/event.c ++++ b/src/main/event.c +@@ -1232,16 +1232,17 @@ static void wait_a_bit(void *ctx) + case REQUEST_RUNNING: + /* + * If we're not thread-capable, OR we're capable, +- * but have been told to run without threads, +- * complain when the requests is queued for a +- * thread, or running in a child thread. ++ * but have been told to run without threads, and ++ * the request is still running. This is usually ++ * because the request was proxied, and the home ++ * server didn't respond. + */ + #ifdef HAVE_PTHREAD_H + if (!have_children) + #endif + { +- rad_assert("We do not have threads, but the request is marked as queued or running in a child thread" == NULL); +- break; ++ request->child_state = REQUEST_DONE; ++ goto done; + } + + #ifdef HAVE_PTHREAD_H +@@ -1312,6 +1313,7 @@ static void wait_a_bit(void *ctx) + * and clean it up. + */ + case REQUEST_DONE: ++ done: + #ifdef HAVE_PTHREAD_H + request->child_pid = NO_SUCH_CHILD_PID; + #endif --- freeradius-2.1.10+dfsg.orig/debian/patches/recvpktinfo.diff +++ freeradius-2.1.10+dfsg/debian/patches/recvpktinfo.diff @@ -0,0 +1,11 @@ +--- freeradius-2.1.10/src/lib/udpfromto.c~ 2010-09-28 13:03:56.000000000 +0200 ++++ freeradius-2.1.10/src/lib/udpfromto.c 2011-05-06 18:00:20.000000000 +0200 +@@ -87,7 +87,7 @@ + * This should actually be standard IPv6 + */ + proto = IPPROTO_IPV6; +- flag = IPV6_PKTINFO; ++ flag = IPV6_RECVPKTINFO; + #endif + #endif + } else { --- freeradius-2.1.10+dfsg.orig/debian/patches/CVE-2012-3547.diff +++ freeradius-2.1.10+dfsg/debian/patches/CVE-2012-3547.diff @@ -0,0 +1,18 @@ +Description: fix denial of service and possible code execution via + crafted client certificates +Origin: upstream, https://github.com/alandekok/freeradius-server/commit/78e5aed56c36a9231bc91ea5f55b3edf88a9d2a4 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687175 + +Index: freeradius-2.1.10+dfsg/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c +=================================================================== +--- freeradius-2.1.10+dfsg.orig/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c 2010-09-28 07:03:56.000000000 -0400 ++++ freeradius-2.1.10+dfsg/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c 2012-09-24 12:46:25.516564820 -0400 +@@ -331,7 +331,7 @@ + */ + buf[0] = '\0'; + asn_time = X509_get_notAfter(client_cert); +- if ((lookup <= 1) && asn_time && (asn_time->length < MAX_STRING_LEN)) { ++ if ((lookup <= 1) && asn_time && (asn_time->length < sizeof(buf))) { + memcpy(buf, (char*) asn_time->data, asn_time->length); + buf[asn_time->length] = '\0'; + pairadd(&handler->certs, --- freeradius-2.1.10+dfsg.orig/debian/patches/CVE-2011-4966.patch +++ freeradius-2.1.10+dfsg/debian/patches/CVE-2011-4966.patch @@ -0,0 +1,32 @@ +From 1b1ec5ce75e224bd1755650c18ccdaa6dc53e605 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" +Date: Tue, 7 Feb 2012 20:58:52 +0100 +Subject: [PATCH] heck for account and password expiration + +--- + src/modules/rlm_unix/rlm_unix.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +Index: freeradius-2.1.12+dfsg/src/modules/rlm_unix/rlm_unix.c +=================================================================== +--- freeradius-2.1.12+dfsg.orig/src/modules/rlm_unix/rlm_unix.c 2014-02-24 09:16:50.263877270 -0500 ++++ freeradius-2.1.12+dfsg/src/modules/rlm_unix/rlm_unix.c 2014-02-24 09:16:50.263877270 -0500 +@@ -274,9 +274,17 @@ + /* + * Check if password has expired. + */ ++ if (spwd && spwd->sp_lstchg > 0 && spwd->sp_max >= 0 && ++ (request->timestamp / 86400) > (spwd->sp_lstchg + spwd->sp_max)) { ++ radlog_request(L_AUTH, 0, request, "[%s]: password has expired", name); ++ return RLM_MODULE_REJECT; ++ } ++ /* ++ * Check if account has expired. ++ */ + if (spwd && spwd->sp_expire > 0 && + (request->timestamp / 86400) > spwd->sp_expire) { +- radlog_request(L_AUTH, 0, request, "[%s]: password has expired", name); ++ radlog_request(L_AUTH, 0, request, "[%s]: account has expired", name); + return RLM_MODULE_REJECT; + } + #endif