When using pam authentication, users are unable to log in to the ejabberd service. Reproducible: Always Steps to Reproduce: 1. Install ejabberd 2. set the authentication to "pam", and pam_service to "xmpp" 3. Have a user connect to the server using their IM program of choice. Actual Results: Fails to connect. Expected Results: Connect as normal. The issue is that the epam helper program that's installed in "/usr/lib64/erlang/lib/p1_pam-1.0.0/priv/bin/epam" must be run as setuid root, but it is not installed that way. This command needs to be run in the install script: chmod +4750 /usr/lib64/erlang/lib/p1_pam-1.0.0/priv/bin/epam
It is interesting, because it works for me without suid. The command is actually run, but afterwards chown is run which resets suid bit... I will change the order.
I have fixed in in current ejabberd-16.04.ebuild. I am not revbumping now because I have other fixes in progress for ejabberd-16.04-r1.ebuild. Could you please reemerge ejabberd-16.04 and test it, please?
And know there's another thing which changes permissions. On installation there's a portage functionality which removes read bit from group for files having suid set. It makes ejabberd fail on start.
s/know/now/
I have partially fixed it in ejabberd-16.04. If you turn off sfperms FEATURE then it should work. In ejabberd-16.04-r1 I have applied full workaround for the problem (see other bug #334473) but that revision needs stabilization of course.
(In reply to Amadeusz Żołnowski from comment #2) > I have fixed in in current ejabberd-16.04.ebuild. I am not revbumping now > because I have other fixes in progress for ejabberd-16.04-r1.ebuild. Could > you please reemerge ejabberd-16.04 and test it, please? I re-emerged it, but it didn't seem to do anything. Then I realized that epam is NOT contained in ejabberd but in p1_pam. When I re-emerged p1_pam, the suid bit was cleared.
epam wrapper which is a part of ejabberd package and is installed in /usr/lib/ejabberd-16.04/priv/bin should have suid bit set, while epam binary installed by p1_pam package should have suid bit unset. Is it what you observe?