Using ejabber with PAM authentication. In the default configuration just after install this does not work. I fixed it by setting suid the epam binary chmod u+s /usr/lib64/erlang/lib/p1_pam-1.0.0/priv/bin/epam to achieve mode 4510 and removing PrivateDevices=true NoNewPrivileges=true ProtectSystem=full for ejabberd.service. I haven't yet tried to fix it using capabilities (both in unit file and on epam binary).
suid is set for epam wrapper. See line `fperms 4750 "${epam_path}"` in ejabberd ebuild. Can you check whether you have set suid on the wrapper script? It is installed in `/usr/lib/ejabberd-*/priv/bin/epam`. I was testing ejabberd with PAM authentication and setting suid on the wrapper worked.
Yes, /usr/lib/ejabberd-16.09/priv/bin/epam has the suid bit set. mode : -rwsr-x--- I just checked again : /usr/lib64/erlang/lib/p1_pam-1.0.0/priv/bin/epam without suid bit : [info] Application p1_pam started on node 'ejabberd@...' epam[29158]: pam_unix(xmpp:auth): authentication failure; logname= uid=130 euid=130 tty= ruser=**** rhost= user=**** /usr/lib64/erlang/lib/p1_pam-1.0.0/priv/bin/epam with suid bit : [debug] Supervisor epam_sup started epam:start_link() at pid <0.418.0> [info] Application p1_pam started on node 'ejabberd@...' [info] ({socket_state,fast_tls,{tlssock,#Port<0.10939>,#Port<0.10940>},<0.523.0>}) Accepted aut hentication for **** by ejabberd_auth_pam from .... Seems to me the wrapper isn't being used?
Could you (re)move `/usr/lib/ejabberd-*/priv/bin/epam` and try again these 2 test cases, please?
So that's that... [error] Can't open file "/usr/lib64/ejabberd-16.09/priv/bin/epam": enoent [error] CRASH REPORT Process epam with 0 neighbours exited with reason: bad return value: error in gen_server:init_it/6 line 356 [error] Supervisor epam_sup had child epam started with epam:start_link() at undefined exit with reason bad return value: error in context start_error [error] CRASH REPORT Process <0.401.0> with 0 neighbours exited with reason: {{shutdown,{failed_to_start_child,epam,{bad_return_value,error}}},{epam_app,start,[normal,[]]}} in application_master:init/4 line 134 [info] Application p1_pam exited with reason: {{shutdown,{failed_to_start_child,epam,{bad_return_value,error}}},{epam_app,start,[normal,[]]}} failed to start application 'p1_pam': {error, {{shutdown, {failed_to_start_child,epam, [33B blob data] [1B blob data]
OK, I see now. The epam binary actually needs to have suid rather than wrapper script, because suid doesn't seem to affect script. I just wonder how it worked for me...
It's fixed in ejabberd-17.01-r1. Could you test it, please?
Just updated to 17.01. epam is installed with suid bit enabled, and pam auth seems to work out of the box. Thanks
Thank you for reporting the issue and testing!
