/
freeradius.service
80 lines (62 loc) · 2.56 KB
/
freeradius.service
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
[Unit]
Description=FreeRADIUS multi-protocol policy server
After=network-online.target
Documentation=man:radiusd(8) man:radiusd.conf(5) https://wiki.freeradius.org/ https://freeradius.org/documentation/freeradius-server/
[Service]
Type=notify
WatchdogSec=60
NotifyAccess=all
EnvironmentFile=-/etc/default/freeradius
# FreeRADIUS can do static evaluation of policy language rules based
# on environmental variables which is very useful for doing per-host
# customization.
# Unfortunately systemd does not allow variable substitutions such
# as %H or $(hostname) in the EnvironmentFile.
# We provide HOSTNAME here for convenience.
Environment=HOSTNAME=%H
# Not needed/used unless the freeradius-snmp package is installed.
# Used by snmptrap and friends to determine where to stored persistent
# configuration files.
Environment=SNMP_PERSISTENT_DIR=/var/lib/freeradius/snmp
# Limit memory to 2G this is fine for %99.99 of deployments. FreeRADIUS
# is not memory hungry, if it's using more than this, then there's probably
# a leak somewhere.
MemoryLimit=2G
# Ensure the daemon can still write its pidfile after it drops
# privileges. Combination of options that work on a variety of
# systems. Test very carefully if you alter these lines.
RuntimeDirectory=freeradius
RuntimeDirectoryMode=0775
# This does not work on Debian Jessie:
User=freerad
Group=freerad
# This does not work on Ubuntu Bionic:
ExecStartPre=/bin/chown freerad:freerad /var/run/freeradius
ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cx -lstdout
ExecStart=/usr/sbin/freeradius -f $FREERADIUS_OPTIONS
Restart=on-failure
RestartSec=5
# Don't elevate privileges after starting
NoNewPrivileges=true
# Allow binding to secure ports, broadcast addresses, and raw interfaces.
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE
# Private /tmp that isn't shared by other processes
PrivateTmp=true
# cgroups are readable only by radiusd, and child processes
ProtectControlGroups=true
# don't load new kernel modules
ProtectKernelModules=true
# don't tune kernel parameters
ProtectKernelTunables=true
# Only allow native system calls
SystemCallArchitectures=native
# We shouldn't be writing to the configuration directory
ReadOnlyDirectories=/etc/freeradius/
# We can read and write to the log directory.
ReadWriteDirectories=/var/log/freeradius/
# We can read and write to our run dir
ReadWriteDirectories=/var/run/freeradius/
# We can read and write to our persistent dir
ReadWriteDirectories=/var/lib/freeradius/
[Install]
WantedBy=multi-user.target