diff options
author | Peter Lemenkov <lemenkov@gmail.com> | 2013-09-16 18:51:14 +0400 |
---|---|---|
committer | Peter Lemenkov <lemenkov@gmail.com> | 2013-09-16 18:51:14 +0400 |
commit | 2309409d064d8187f3cc3e02e4c6dce9ee1d47b4 (patch) | |
tree | cfac44e7d6376b9c8bf08de5103178e3a9282838 | |
parent | d8d424561d09c92ad1e35e30669d7af7be552687 (diff) | |
download | ejabberd-2309409d064d8187f3cc3e02e4c6dce9ee1d47b4.tar.gz ejabberd-2309409d064d8187f3cc3e02e4c6dce9ee1d47b4.tar.xz ejabberd-2309409d064d8187f3cc3e02e4c6dce9ee1d47b4.zip |
Switch to polkit
Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>
-rw-r--r-- | ejabberd-0001-Fix-PAM-service-example-name-to-match-actual-one.patch | 2 | ||||
-rw-r--r-- | ejabberd-0002-Fixed-delays-in-s2s-connections.patch | 2 | ||||
-rw-r--r-- | ejabberd-0003-Introducing-mod_admin_extra.patch | 2 | ||||
-rw-r--r-- | ejabberd-0004-Fedora-specific-changes-to-ejabberdctl.patch | 2 | ||||
-rw-r--r-- | ejabberd-0005-Install-.so-objects-with-0755-permissions.patch | 2 | ||||
-rw-r--r-- | ejabberd-0006-Support-SASL-GSSAPI-authentication-thanks-to-Mikael-.patch (renamed from ejabberd-0007-Support-SASL-GSSAPI-authentication-thanks-to-Mikael-.patch) | 6 | ||||
-rw-r--r-- | ejabberd-0006-Use-versioned-directory-for-storing-docs.patch | 35 | ||||
-rw-r--r-- | ejabberd-0007-Disable-INET_DIST_INTERFACE-by-default.patch (renamed from ejabberd-0008-Disable-INET_DIST_INTERFACE-by-default.patch) | 6 | ||||
-rw-r--r-- | ejabberd-0008-Clean-up-false-security-measure.patch | 26 | ||||
-rw-r--r-- | ejabberd.spec | 56 | ||||
-rw-r--r-- | ejabberdctl.polkit.rules | 9 | ||||
-rw-r--r-- | ejabberdctl.sh | 2 |
12 files changed, 89 insertions, 61 deletions
diff --git a/ejabberd-0001-Fix-PAM-service-example-name-to-match-actual-one.patch b/ejabberd-0001-Fix-PAM-service-example-name-to-match-actual-one.patch index 16c21c9..b3f929f 100644 --- a/ejabberd-0001-Fix-PAM-service-example-name-to-match-actual-one.patch +++ b/ejabberd-0001-Fix-PAM-service-example-name-to-match-actual-one.patch @@ -22,5 +22,5 @@ index a4068ad..9b24a4a 100644 %% %% Authentication using LDAP -- -1.8.2.1 +1.8.3.1 diff --git a/ejabberd-0002-Fixed-delays-in-s2s-connections.patch b/ejabberd-0002-Fixed-delays-in-s2s-connections.patch index 33787e7..4533041 100644 --- a/ejabberd-0002-Fixed-delays-in-s2s-connections.patch +++ b/ejabberd-0002-Fixed-delays-in-s2s-connections.patch @@ -49,5 +49,5 @@ index 0dedb4c..9376d16 100644 end; open_socket(closed, StateData) -> -- -1.8.2.1 +1.8.3.1 diff --git a/ejabberd-0003-Introducing-mod_admin_extra.patch b/ejabberd-0003-Introducing-mod_admin_extra.patch index a5f63f6..cac9b0a 100644 --- a/ejabberd-0003-Introducing-mod_admin_extra.patch +++ b/ejabberd-0003-Introducing-mod_admin_extra.patch @@ -1603,5 +1603,5 @@ index 0000000..1cef25a +is_glob_match(String, Glob) -> + is_regexp_match(String, ejabberd_regexp:sh_to_awk(Glob)). -- -1.8.2.1 +1.8.3.1 diff --git a/ejabberd-0004-Fedora-specific-changes-to-ejabberdctl.patch b/ejabberd-0004-Fedora-specific-changes-to-ejabberdctl.patch index 590b843..6a3e5d2 100644 --- a/ejabberd-0004-Fedora-specific-changes-to-ejabberdctl.patch +++ b/ejabberd-0004-Fedora-specific-changes-to-ejabberdctl.patch @@ -44,5 +44,5 @@ index 461ec1a..b298e01 100644 done if [ "$ID" -eq "$EJID" ] ; then -- -1.8.2.1 +1.8.3.1 diff --git a/ejabberd-0005-Install-.so-objects-with-0755-permissions.patch b/ejabberd-0005-Install-.so-objects-with-0755-permissions.patch index a26b721..354b1d3 100644 --- a/ejabberd-0005-Install-.so-objects-with-0755-permissions.patch +++ b/ejabberd-0005-Install-.so-objects-with-0755-permissions.patch @@ -22,5 +22,5 @@ index 42af5b2..64ed856 100644 # Translated strings install -d $(MSGSDIR) -- -1.8.2.1 +1.8.3.1 diff --git a/ejabberd-0007-Support-SASL-GSSAPI-authentication-thanks-to-Mikael-.patch b/ejabberd-0006-Support-SASL-GSSAPI-authentication-thanks-to-Mikael-.patch index d7132a5..30c5df1 100644 --- a/ejabberd-0007-Support-SASL-GSSAPI-authentication-thanks-to-Mikael-.patch +++ b/ejabberd-0006-Support-SASL-GSSAPI-authentication-thanks-to-Mikael-.patch @@ -1,7 +1,7 @@ -From c00d31b20735b9a9d2bde1be7c4a70463bd1762e Mon Sep 17 00:00:00 2001 +From e49dbaca001a3d311a2f8a8e878c5b8b6fc385c0 Mon Sep 17 00:00:00 2001 From: Badlop <badlop@process-one.net> Date: Thu, 15 Apr 2010 17:20:16 +0200 -Subject: [PATCH 7/8] Support SASL GSSAPI authentication (thanks to Mikael +Subject: [PATCH 6/8] Support SASL GSSAPI authentication (thanks to Mikael Magnusson)(EJAB-831) --- @@ -501,5 +501,5 @@ index 836e7d9..59e4034 100644 %% Internal functions %%==================================================================== -- -1.8.2.1 +1.8.3.1 diff --git a/ejabberd-0006-Use-versioned-directory-for-storing-docs.patch b/ejabberd-0006-Use-versioned-directory-for-storing-docs.patch deleted file mode 100644 index 0ef4a30..0000000 --- a/ejabberd-0006-Use-versioned-directory-for-storing-docs.patch +++ /dev/null @@ -1,35 +0,0 @@ -From ba733c94f5f1238dc73e624a842ebc47ecc1c605 Mon Sep 17 00:00:00 2001 -From: Peter Lemenkov <lemenkov@gmail.com> -Date: Sat, 12 Jun 2010 16:12:11 +0400 -Subject: [PATCH 6/8] Use versioned directory for storing docs - -It's also a good idea to store doc-files under the versioned directory. -This may greatly simplify parallel installation of different versions of -ejabbed. - -Note that this may be done in the other way - by changing proper field -in the AC_INIT macro, see the explanation of the field 'tarname': - -http://www.gnu.org/software/autoconf/manual/html_node/Initializing-configure.html - -Signed-off-by: Peter Lemenkov <lemenkov@gmail.com> ---- - src/Makefile.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/Makefile.in b/src/Makefile.in -index 64ed856..43b5e1f 100644 ---- a/src/Makefile.in -+++ b/src/Makefile.in -@@ -98,7 +98,7 @@ SBINDIR = $(DESTDIR)@sbindir@ - EJABBERDDIR = $(DESTDIR)@libdir@/ejabberd - - # /share/doc/ejabberd --PACKAGE_TARNAME = @PACKAGE_TARNAME@ -+PACKAGE_TARNAME = @PACKAGE_TARNAME@-@PACKAGE_VERSION@ - datarootdir = @datarootdir@ - DOCDIR = $(DESTDIR)@docdir@ - --- -1.8.2.1 - diff --git a/ejabberd-0008-Disable-INET_DIST_INTERFACE-by-default.patch b/ejabberd-0007-Disable-INET_DIST_INTERFACE-by-default.patch index 8138522..09f67fb 100644 --- a/ejabberd-0008-Disable-INET_DIST_INTERFACE-by-default.patch +++ b/ejabberd-0007-Disable-INET_DIST_INTERFACE-by-default.patch @@ -1,7 +1,7 @@ -From e17a26e31d6ddd1b9ab5bc0b00665f94cbdfa5b0 Mon Sep 17 00:00:00 2001 +From a8910615b82e7af8cb32916792970de0b53e5872 Mon Sep 17 00:00:00 2001 From: Peter Lemenkov <lemenkov@gmail.com> Date: Sat, 18 Jun 2011 23:24:28 +0400 -Subject: [PATCH 8/8] Disable INET_DIST_INTERFACE by default +Subject: [PATCH 7/8] Disable INET_DIST_INTERFACE by default Signed-off-by: Peter Lemenkov <lemenkov@gmail.com> --- @@ -22,5 +22,5 @@ index b72058a..5ee43cf 100644 #. #' ERL_EPMD_ADDRESS: IP addresses where epmd listens for connections -- -1.8.2.1 +1.8.3.1 diff --git a/ejabberd-0008-Clean-up-false-security-measure.patch b/ejabberd-0008-Clean-up-false-security-measure.patch new file mode 100644 index 0000000..83fa98c --- /dev/null +++ b/ejabberd-0008-Clean-up-false-security-measure.patch @@ -0,0 +1,26 @@ +From c827055ee650243c2af546753743f692ae0fe758 Mon Sep 17 00:00:00 2001 +From: Peter Lemenkov <lemenkov@gmail.com> +Date: Wed, 17 Jul 2013 14:56:09 +0400 +Subject: [PATCH 8/8] Clean up false security measure + +Signed-off-by: Peter Lemenkov <lemenkov@gmail.com> +--- + src/Makefile.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/Makefile.in b/src/Makefile.in +index 64ed856..1a1fa41 100644 +--- a/src/Makefile.in ++++ b/src/Makefile.in +@@ -202,7 +202,7 @@ install: all + # + # Administration script + [ -d $(SBINDIR) ] || install -d -m 755 $(SBINDIR) +- install -m 550 $(G_USER) ejabberdctl.example $(SBINDIR)/ejabberdctl ++ install -m 755 $(G_USER) ejabberdctl.example $(SBINDIR)/ejabberdctl + # + # Init script + sed -e "s*@ctlscriptpath@*$(SBINDIR)*" \ +-- +1.8.3.1 + diff --git a/ejabberd.spec b/ejabberd.spec index 0eed25f..2994ccb 100644 --- a/ejabberd.spec +++ b/ejabberd.spec @@ -22,7 +22,7 @@ Name: ejabberd Version: 2.1.13 -Release: 3%{?dist} +Release: 4%{?dist} Summary: A distributed, fault-tolerant Jabber/XMPP server Group: Applications/Internet @@ -40,9 +40,14 @@ Source5: ejabberd.tmpfiles.conf # PAM support Source9: ejabberdctl.pam -Source10: ejabberdctl.apps Source11: ejabberd.pam +# usermode support for old systems +Source10: ejabberdctl.apps +# polkit support +Source12: ejabberdctl.polkit.rules +Source13: ejabberdctl.sh + # Use ejabberd as an example for PAM service name (fedora/epel-specific) Patch1: ejabberd-0001-Fix-PAM-service-example-name-to-match-actual-one.patch # fixed delays in s2s connections @@ -53,12 +58,12 @@ Patch3: ejabberd-0003-Introducing-mod_admin_extra.patch Patch4: ejabberd-0004-Fedora-specific-changes-to-ejabberdctl.patch # Fix so-lib permissions while installing (fedora/epel-specific) Patch5: ejabberd-0005-Install-.so-objects-with-0755-permissions.patch -# Will be proposed for inclusion into upstream -Patch6: ejabberd-0006-Use-versioned-directory-for-storing-docs.patch # Backported from upstream -Patch7: ejabberd-0007-Support-SASL-GSSAPI-authentication-thanks-to-Mikael-.patch +Patch6: ejabberd-0006-Support-SASL-GSSAPI-authentication-thanks-to-Mikael-.patch # Disable IP restriction for ejabberdctl (seems that it doesn't work well) -Patch8: ejabberd-0008-Disable-INET_DIST_INTERFACE-by-default.patch +Patch7: ejabberd-0007-Disable-INET_DIST_INTERFACE-by-default.patch +# Don't try to make system-wide scripts unreadable for users (fedora/epel-specific) +Patch8: ejabberd-0008-Clean-up-false-security-measure.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -89,6 +94,9 @@ Requires(preun): systemd Requires(postun): systemd %endif +Provides: user(%{name}) +Provides: group(%{name}) + #Error:erlang(exmpp_jid:domain_as_list/1) #Error:erlang(exmpp_jid:make/2) #Error:erlang(exmpp_jid:node_as_list/1) @@ -121,7 +129,12 @@ Requires(postun): systemd Requires: erlang #Error:erlang(esasl:str_error/2) Requires: erlang-esasl +%if 0%{?el5}%{?el6} Requires: usermode +%else +# for /usr/bin/pkexec +Requires: polkit +%endif # for flock in ejabberdctl Requires: util-linux @@ -153,9 +166,9 @@ Documentation for ejabberd. %patch3 -p1 -b .mod_admin_extra %patch4 -p1 -b .fedora_specific %patch5 -p1 -b .fix_perms -%patch6 -p1 -b .versioned_docdir -%patch7 -p1 -b .gssapi -%patch8 -p1 -b .disable_ip_restriction_for_ejabberdctl +%patch6 -p1 -b .gssapi +%patch7 -p1 -b .disable_ip_restriction_for_ejabberdctl +%patch8 -p1 -b .dont_hide %build @@ -190,10 +203,7 @@ popd mkdir -p %{buildroot}/var/log/ejabberd mkdir -p %{buildroot}/var/lib/ejabberd/spool -mkdir -p %{buildroot}%{_bindir} -ln -s consolehelper %{buildroot}%{_bindir}/ejabberdctl install -D -p -m 0644 %{S:9} %{buildroot}%{_sysconfdir}/pam.d/ejabberdctl -install -D -p -m 0644 %{S:10} %{buildroot}%{_sysconfdir}/security/console.apps/ejabberdctl install -D -p -m 0644 %{S:11} %{buildroot}%{_sysconfdir}/pam.d/ejabberd %if 0%{?el5} # No password-auth PAM scheme in EL5 - see rhbz #758601 @@ -223,15 +233,23 @@ install -p -m 0644 src/odbc/mssql2005.sql %{buildroot}%{_datadir}/%{name} install -p -m 0644 src/odbc/mysql.sql %{buildroot}%{_datadir}/%{name} install -p -m 0644 src/odbc/pg.sql %{buildroot}%{_datadir}/%{name} -# Clean up false security measure -chmod 755 %{buildroot}%{_sbindir}/ejabberdctl - # Fix permissions for captcha script # In fact, we can also chown root:ejabberd here, but I'm not sure # that we should care about the possibility of reading by someone # for this *default* sript, which is not intended to be changed chmod 755 %{buildroot}%{_libdir}/%{name}/priv/bin/captcha.sh +%if 0%{?el5}%{?el6} +# Use usermode on old systems +mkdir -p %{buildroot}%{_bindir} +ln -s consolehelper %{buildroot}%{_bindir}/ejabberdctl +install -D -p -m 0644 %{S:10} %{buildroot}%{_sysconfdir}/security/console.apps/ejabberdctl +%else +# Install polkit file +install -D -p -m 0644 %{S:12} %{buildroot}%{_datadir}/polkit-1/rules.d/51-ejabberdctl.rules +install -D -p -m 0755 %{S:13} %{buildroot}%{_bindir}/ejabberdctl +%endif + # Remove installed doc-files rm -rf %{buildroot}%{_defaultdocdir} @@ -351,7 +369,11 @@ rm -rf %{buildroot} %config(noreplace) %{_sysconfdir}/logrotate.d/%{name} %config(noreplace) %{_sysconfdir}/pam.d/%{name} %config(noreplace) %{_sysconfdir}/pam.d/ejabberdctl +%if 0%{?el5}%{?el6} %config(noreplace) %{_sysconfdir}/security/console.apps/ejabberdctl +%else +%{_datadir}/polkit-1/rules.d/51-ejabberdctl.rules +%endif %{_bindir}/ejabberdctl %{_sbindir}/ejabberdctl @@ -419,6 +441,10 @@ rm -rf %{buildroot} %changelog +* Sun Sep 15 2013 Peter Lemenkov <lemenkov@gmail.com> - 2.1.13-4 +- Use polkit instead of usermode on modern systems +- Restore user/group provides + * Thu Sep 05 2013 Peter Lemenkov <lemenkov@gmail.com> - 2.1.13-3 - TEMPORARY disable hevea - it's broken in F19+ - Fix building with unversioned docdir diff --git a/ejabberdctl.polkit.rules b/ejabberdctl.polkit.rules new file mode 100644 index 0000000..1037d3a --- /dev/null +++ b/ejabberdctl.polkit.rules @@ -0,0 +1,9 @@ +polkit.addRule(function(action, subject) { + var CommandLine = action.lookup("command_line").split(" "); + if (action.id == "org.freedesktop.policykit.exec" && (CommandLine[0] == "/sbin/ejabberdctl" || CommandLine[0] == "/usr/sbin/ejabberdctl")){ + if(subject.isInGroup("ejabberd")) + return polkit.Result.YES; + else + return polkit.Result.NO; + } +}); diff --git a/ejabberdctl.sh b/ejabberdctl.sh new file mode 100644 index 0000000..92a0519 --- /dev/null +++ b/ejabberdctl.sh @@ -0,0 +1,2 @@ +#!/bin/sh +/usr/bin/pkexec /usr/sbin/ejabberdctl "$@" |