592218 – net-im/ejabberd-16.04 fails to authenticate users with pam

Bug 592218 - net-im/ejabberd-16.04 fails to authenticate users with pam

Summary: net-im/ejabberd-16.04 fails to authenticate users with pam

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Amadeusz Żołnowski (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-08-27 01:17 UTC by Joe D
Modified:	2016-09-18 21:29 UTC (History)
CC List:	2 users (show)

See Also:	334473
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Joe D 2016-08-27 01:17:28 UTC

When using pam authentication, users are unable to log in to the ejabberd service.


Reproducible: Always

Steps to Reproduce:
1. Install ejabberd
2. set the authentication to "pam", and pam_service to "xmpp"
3. Have a user connect to the server using their IM program of choice.
Actual Results:  
Fails to connect.

Expected Results:  
Connect as normal.


The issue is that the epam helper program that's installed in "/usr/lib64/erlang/lib/p1_pam-1.0.0/priv/bin/epam" must be run as setuid root, but it is not installed that way.

This command needs to be run in the install script:

chmod +4750 /usr/lib64/erlang/lib/p1_pam-1.0.0/priv/bin/epam

Comment 1 Amadeusz Żołnowski (RETIRED) gentoo-dev

2016-08-27 06:53:33 UTC

It is interesting, because it works for me without suid. The command is actually run, but afterwards chown is run which resets suid bit... I will change the order.

Comment 2 Amadeusz Żołnowski (RETIRED) gentoo-dev

2016-08-27 07:06:38 UTC

I have fixed in in current ejabberd-16.04.ebuild. I am not revbumping now because I have other fixes in progress for ejabberd-16.04-r1.ebuild. Could you please reemerge ejabberd-16.04 and test it, please?

Comment 3 Amadeusz Żołnowski (RETIRED) gentoo-dev

2016-08-27 11:18:24 UTC

And know there's another thing which changes permissions. On installation there's a portage functionality which removes read bit from group for files having suid set. It makes ejabberd fail on start.

Comment 4 Amadeusz Żołnowski (RETIRED) gentoo-dev

2016-08-27 11:18:39 UTC

s/know/now/

Comment 5 Amadeusz Żołnowski (RETIRED) gentoo-dev

2016-08-27 13:36:53 UTC

I have partially fixed it in ejabberd-16.04. If you turn off sfperms FEATURE then it should work. In ejabberd-16.04-r1 I have applied full workaround for the problem (see other bug #334473) but that revision needs stabilization of course.

Comment 6 Joe D 2016-08-30 22:47:30 UTC

(In reply to Amadeusz Żołnowski from comment #2)
> I have fixed in in current ejabberd-16.04.ebuild. I am not revbumping now
> because I have other fixes in progress for ejabberd-16.04-r1.ebuild. Could
> you please reemerge ejabberd-16.04 and test it, please?

I re-emerged it, but it didn't seem to do anything.

Then I realized that epam is NOT contained in ejabberd but in p1_pam.

When I re-emerged p1_pam, the suid bit was cleared.

Comment 7 Amadeusz Żołnowski (RETIRED) gentoo-dev

2016-09-01 18:49:50 UTC

epam wrapper which is a part of ejabberd package and is installed in /usr/lib/ejabberd-16.04/priv/bin should have suid bit set, while epam binary installed by p1_pam package should have suid bit unset. Is it what you observe?