345909 – net-im/ejabberd 2.1.5 / unix_chkpwd : wrong ownerships ? (pam auth helper)

Bug 345909 - net-im/ejabberd 2.1.5 / unix_chkpwd : wrong ownerships ? (pam auth helper)

Summary: net-im/ejabberd 2.1.5 / unix_chkpwd : wrong ownerships ? (pam auth helper)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	x86 Linux

Importance:	High normal (vote)
Assignee:	Peter Volkov (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2010-11-17 16:54 UTC by bathizte
Modified:	2010-11-18 13:29 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
*ejabberd-2.1.5.ebuild.patch** (ejabberd-2.1.5-r2.ebuild.patch,507 bytes, patch) 2010-11-18 09:26 UTC, Gavin Pryke	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description bathizte 2010-11-17 16:54:47 UTC

I've had this ejabberd serrver running for more than 2 years now.
I restarted the ejabberd server after a system upgrade and could not login with my unix account. 


Reproducible: Always

Steps to Reproduce:
1. Install ejabberd w/ Pam auth
2. Configure 
3. Launch
4. Log in with unix account

Actual Results:  
unix_chkpwd[15246]: check pass; user unknown
unix_chkpwd[15247]: check pass; user unknown
unix_chkpwd[15247]: password check failed for user (bathizte)
epam: pam_unix(xmpp:auth): authentication failure; logname= uid=107 euid=107 tty= ruser=bathizte rhost=  user=bathizte


Expected Results:  
Correct login.

This threads helped me solving this and shows the problem occured at least for someone else.
http://old.nabble.com/Fwd%3A-Re%3A-ejabberd-and-pam-debugging--p29552507s24859.html

What I did 

$ ls -al /sbin/unix_chkpwd
-rws--x--x 1 root root 26084 16 nov.  22:22 /sbin/unix_chkpwd*
$ chown root.jabber /usr/lib/erlang/lib/ejabberd-2.1.5/priv/bin/epam 
$ vim /usr/sbin/ejabberdctl
l.15 : INSTALLUSER=jabber -> INSTALLUSER=jabber

Comment 1 Gavin Pryke 2010-11-18 09:26:35 UTC

Created attachment 254703 [details, diff]
ejabberd-2.1.5*.ebuild.patch

As per following the ejabberd guide for pam at
http://www.process-one.net/en/ejabberd/guide_en#pam
this ebuild patch attempts a fix. Permissions look good after this but I have not tested with pam as I don't use this authentication method in ejabberd.
Thanks.

Comment 2 bathizte 2010-11-18 13:16:23 UTC

Hello  Gavin. 

> this ebuild patch attempts a fix. Permissions look good after this

Ok, I was not meaning permissions but *ownerships* on the epam helper. To be sure to mention everything, I reemerged ejabberd. 

Let's look together : 
$ ls -al /usr/lib/erlang/lib/ejabberd-2.1.5/priv/bin/epam
-rws--x--- 1 jabber root 42408 18 nov.  13:54 /usr/lib/erlang/lib/ejabberd-2.1.5/priv/bin/epam*

So this is not correct, according to the ejabberd manual : 
> Execute with root privileges:
> |     chown root:ejabberd /var/lib/ejabberd/priv/bin/epam

Ok, So the ebuild should do that. I'll do this :
$ chown root.jabber /usr/lib/erlang/lib/ejabberd-2.1.5/priv/bin/epam 

Start ejabberd. try to login from my client. 
$ tail /var/log/auth.log
unix_chkpwd[23927]: check pass; user unknown
unix_chkpwd[23928]: check pass; user unknown
unix_chkpwd[23928]: password check failed for user (bathizte)

Check epam helper user : 
$ ps aux | grep epam
jabber   23905  0.0  0.0   2124   968 ?        Ss   14:02   0:00 /usr/lib/erlang/lib/ejabberd-2.1.5/priv/bin/epam

The epam process cannot access unix_chkpwd which is suid'ed. Has to be launched as root. 

I have a limited comprehension of ejabberd processes, erlang nodes etc, so for now I hacked /usr/sbin/ejabberdctl to change INSTALL_USER to root. 

And that's it. 

My guesses :
- the ebuild doesn't fix epam's right *ownership* 
- the epam helper then runs as jabber user, so it cannot use unix_chkpwd

Comment 3 Peter Volkov (RETIRED) gentoo-dev

2010-11-18 13:29:21 UTC

Thank you for report. Fix in ejabberd-2.1.5-r3.