diff options
author | Peter Lemenkov <lemenkov@gmail.com> | 2013-10-26 15:51:33 +0400 |
---|---|---|
committer | Peter Lemenkov <lemenkov@gmail.com> | 2013-10-26 15:51:33 +0400 |
commit | 5357d2dc969f94200e776cc864f0fc1b6e6b311a (patch) | |
tree | 297a22e209ffebb85e7ed68479f1c4f5e8a2113f | |
parent | 2309409d064d8187f3cc3e02e4c6dce9ee1d47b4 (diff) | |
download | ejabberd-5357d2dc969f94200e776cc864f0fc1b6e6b311a.tar.gz ejabberd-5357d2dc969f94200e776cc864f0fc1b6e6b311a.tar.xz ejabberd-5357d2dc969f94200e776cc864f0fc1b6e6b311a.zip |
Fix polkit
Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | ejabberd-0001-Fix-PAM-service-example-name-to-match-actual-one.patch | 2 | ||||
-rw-r--r-- | ejabberd-0002-Fixed-delays-in-s2s-connections.patch | 2 | ||||
-rw-r--r-- | ejabberd-0003-Introducing-mod_admin_extra.patch | 2 | ||||
-rw-r--r-- | ejabberd-0004-Fedora-specific-changes-to-ejabberdctl.patch | 2 | ||||
-rw-r--r-- | ejabberd-0005-Install-.so-objects-with-0755-permissions.patch | 2 | ||||
-rw-r--r-- | ejabberd-0006-Support-SASL-GSSAPI-authentication-thanks-to-Mikael-.patch | 2 | ||||
-rw-r--r-- | ejabberd-0007-Disable-INET_DIST_INTERFACE-by-default.patch | 2 | ||||
-rw-r--r-- | ejabberd-0008-Clean-up-false-security-measure.patch | 2 | ||||
-rw-r--r-- | ejabberd-0009-Enable-polkit-support.patch | 23 | ||||
-rw-r--r-- | ejabberd-0010-Install-into-BINDIR-instead-of-SBINDIR.patch | 50 | ||||
-rw-r--r-- | ejabberd.spec | 64 | ||||
-rw-r--r-- | ejabberdctl.polkit.actions | 17 | ||||
-rw-r--r-- | ejabberdctl.polkit.rules | 9 | ||||
-rw-r--r-- | ejabberdctl.sh | 2 | ||||
-rw-r--r-- | sources | 2 |
16 files changed, 144 insertions, 40 deletions
@@ -7,3 +7,4 @@ ejabberd-2.1.5.tar.gz /ejabberd-2.1.11.tgz /processone-ejabberd-v2.1.12-0-gc058687.tar.gz /processone-ejabberd-v2.1.13-0-g5feeacf.tar.gz +/ejabberd-v2.1.13.tar.gz diff --git a/ejabberd-0001-Fix-PAM-service-example-name-to-match-actual-one.patch b/ejabberd-0001-Fix-PAM-service-example-name-to-match-actual-one.patch index b3f929f..8883f15 100644 --- a/ejabberd-0001-Fix-PAM-service-example-name-to-match-actual-one.patch +++ b/ejabberd-0001-Fix-PAM-service-example-name-to-match-actual-one.patch @@ -1,7 +1,7 @@ From b3a61330f7328507e1608e437a152e806ef520d1 Mon Sep 17 00:00:00 2001 From: Peter Lemenkov <lemenkov@gmail.com> Date: Tue, 16 Feb 2010 16:03:38 +0300 -Subject: [PATCH 1/8] Fix PAM service example name to match actual one +Subject: [PATCH 01/10] Fix PAM service example name to match actual one Signed-off-by: Peter Lemenkov <lemenkov@gmail.com> --- diff --git a/ejabberd-0002-Fixed-delays-in-s2s-connections.patch b/ejabberd-0002-Fixed-delays-in-s2s-connections.patch index 4533041..8572111 100644 --- a/ejabberd-0002-Fixed-delays-in-s2s-connections.patch +++ b/ejabberd-0002-Fixed-delays-in-s2s-connections.patch @@ -1,7 +1,7 @@ From ec26218c6f2374f4e39e50c194150065cc5da275 Mon Sep 17 00:00:00 2001 From: Sergei Golovan <sgolovan@nes.ru> Date: Tue, 16 Feb 2010 16:07:37 +0300 -Subject: [PATCH 2/8] Fixed delays in s2s connections. +Subject: [PATCH 02/10] Fixed delays in s2s connections. Patch by Sergei Golovan increases timeouts in S2S and removes horrible 5-minute delay between remote server connection attempts after a falure (in case of diff --git a/ejabberd-0003-Introducing-mod_admin_extra.patch b/ejabberd-0003-Introducing-mod_admin_extra.patch index cac9b0a..3f9d8a7 100644 --- a/ejabberd-0003-Introducing-mod_admin_extra.patch +++ b/ejabberd-0003-Introducing-mod_admin_extra.patch @@ -1,7 +1,7 @@ From 363bfab713d9267e3186126d2df4162f24969d8c Mon Sep 17 00:00:00 2001 From: Badlop <badlop@process-one.net> Date: Tue, 16 Feb 2010 16:12:17 +0300 -Subject: [PATCH 3/8] Introducing mod_admin_extra +Subject: [PATCH 03/10] Introducing mod_admin_extra Adds the mod_admin_extra module to ejabberd. This module extends the functionality provided by ejabberdctl diff --git a/ejabberd-0004-Fedora-specific-changes-to-ejabberdctl.patch b/ejabberd-0004-Fedora-specific-changes-to-ejabberdctl.patch index 6a3e5d2..20cf399 100644 --- a/ejabberd-0004-Fedora-specific-changes-to-ejabberdctl.patch +++ b/ejabberd-0004-Fedora-specific-changes-to-ejabberdctl.patch @@ -1,7 +1,7 @@ From 2e72b2ac86fcbc5902555621422db36684d42385 Mon Sep 17 00:00:00 2001 From: Peter Lemenkov <lemenkov@gmail.com> Date: Tue, 16 Feb 2010 16:30:05 +0300 -Subject: [PATCH 4/8] Fedora-specific changes to ejabberdctl +Subject: [PATCH 04/10] Fedora-specific changes to ejabberdctl Signed-off-by: Peter Lemenkov <lemenkov@gmail.com> --- diff --git a/ejabberd-0005-Install-.so-objects-with-0755-permissions.patch b/ejabberd-0005-Install-.so-objects-with-0755-permissions.patch index 354b1d3..af85b3c 100644 --- a/ejabberd-0005-Install-.so-objects-with-0755-permissions.patch +++ b/ejabberd-0005-Install-.so-objects-with-0755-permissions.patch @@ -1,7 +1,7 @@ From 75f9fdbe72c77c1521edc7402c0d27883dadf46c Mon Sep 17 00:00:00 2001 From: Peter Lemenkov <lemenkov@gmail.com> Date: Sat, 12 Jun 2010 14:14:52 +0400 -Subject: [PATCH 5/8] Install *.so objects with 0755 permissions +Subject: [PATCH 05/10] Install *.so objects with 0755 permissions Signed-off-by: Peter Lemenkov <lemenkov@gmail.com> --- diff --git a/ejabberd-0006-Support-SASL-GSSAPI-authentication-thanks-to-Mikael-.patch b/ejabberd-0006-Support-SASL-GSSAPI-authentication-thanks-to-Mikael-.patch index 30c5df1..a9b4dda 100644 --- a/ejabberd-0006-Support-SASL-GSSAPI-authentication-thanks-to-Mikael-.patch +++ b/ejabberd-0006-Support-SASL-GSSAPI-authentication-thanks-to-Mikael-.patch @@ -1,7 +1,7 @@ From e49dbaca001a3d311a2f8a8e878c5b8b6fc385c0 Mon Sep 17 00:00:00 2001 From: Badlop <badlop@process-one.net> Date: Thu, 15 Apr 2010 17:20:16 +0200 -Subject: [PATCH 6/8] Support SASL GSSAPI authentication (thanks to Mikael +Subject: [PATCH 06/10] Support SASL GSSAPI authentication (thanks to Mikael Magnusson)(EJAB-831) --- diff --git a/ejabberd-0007-Disable-INET_DIST_INTERFACE-by-default.patch b/ejabberd-0007-Disable-INET_DIST_INTERFACE-by-default.patch index 09f67fb..d0d1d40 100644 --- a/ejabberd-0007-Disable-INET_DIST_INTERFACE-by-default.patch +++ b/ejabberd-0007-Disable-INET_DIST_INTERFACE-by-default.patch @@ -1,7 +1,7 @@ From a8910615b82e7af8cb32916792970de0b53e5872 Mon Sep 17 00:00:00 2001 From: Peter Lemenkov <lemenkov@gmail.com> Date: Sat, 18 Jun 2011 23:24:28 +0400 -Subject: [PATCH 7/8] Disable INET_DIST_INTERFACE by default +Subject: [PATCH 07/10] Disable INET_DIST_INTERFACE by default Signed-off-by: Peter Lemenkov <lemenkov@gmail.com> --- diff --git a/ejabberd-0008-Clean-up-false-security-measure.patch b/ejabberd-0008-Clean-up-false-security-measure.patch index 83fa98c..a44f130 100644 --- a/ejabberd-0008-Clean-up-false-security-measure.patch +++ b/ejabberd-0008-Clean-up-false-security-measure.patch @@ -1,7 +1,7 @@ From c827055ee650243c2af546753743f692ae0fe758 Mon Sep 17 00:00:00 2001 From: Peter Lemenkov <lemenkov@gmail.com> Date: Wed, 17 Jul 2013 14:56:09 +0400 -Subject: [PATCH 8/8] Clean up false security measure +Subject: [PATCH 08/10] Clean up false security measure Signed-off-by: Peter Lemenkov <lemenkov@gmail.com> --- diff --git a/ejabberd-0009-Enable-polkit-support.patch b/ejabberd-0009-Enable-polkit-support.patch new file mode 100644 index 0000000..fd31fd1 --- /dev/null +++ b/ejabberd-0009-Enable-polkit-support.patch @@ -0,0 +1,23 @@ +From f2420ac96bb52eeb5a01111cabb4f5580db42142 Mon Sep 17 00:00:00 2001 +From: Peter Lemenkov <lemenkov@gmail.com> +Date: Wed, 17 Jul 2013 14:51:04 +0400 +Subject: [PATCH 09/10] Enable polkit support + +Signed-off-by: Peter Lemenkov <lemenkov@gmail.com> +--- + src/ejabberdctl.template | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/ejabberdctl.template b/src/ejabberdctl.template +index b298e01..fa6c5c2 100644 +--- a/src/ejabberdctl.template ++++ b/src/ejabberdctl.template +@@ -1,4 +1,4 @@ +-#!/bin/sh ++#!/usr/bin/pkexec /bin/sh + + # define default configuration + POLL=true +-- +1.8.3.1 + diff --git a/ejabberd-0010-Install-into-BINDIR-instead-of-SBINDIR.patch b/ejabberd-0010-Install-into-BINDIR-instead-of-SBINDIR.patch new file mode 100644 index 0000000..3868b01 --- /dev/null +++ b/ejabberd-0010-Install-into-BINDIR-instead-of-SBINDIR.patch @@ -0,0 +1,50 @@ +From 729db839b762a472444bacff22a1cb8870635272 Mon Sep 17 00:00:00 2001 +From: Peter Lemenkov <lemenkov@gmail.com> +Date: Wed, 17 Jul 2013 14:53:49 +0400 +Subject: [PATCH 10/10] Install into BINDIR instead of SBINDIR + +Signed-off-by: Peter Lemenkov <lemenkov@gmail.com> +--- + src/Makefile.in | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/Makefile.in b/src/Makefile.in +index 1a1fa41..1578183 100644 +--- a/src/Makefile.in ++++ b/src/Makefile.in +@@ -92,7 +92,7 @@ DESTDIR = + ETCDIR = $(DESTDIR)@sysconfdir@/ejabberd + + # /sbin/ +-SBINDIR = $(DESTDIR)@sbindir@ ++BINDIR = $(DESTDIR)@bindir@ + + # /lib/ejabberd/ + EJABBERDDIR = $(DESTDIR)@libdir@/ejabberd +@@ -201,11 +201,11 @@ install: all + install -b -m 644 $(G_USER) inetrc $(ETCDIR)/inetrc + # + # Administration script +- [ -d $(SBINDIR) ] || install -d -m 755 $(SBINDIR) +- install -m 755 $(G_USER) ejabberdctl.example $(SBINDIR)/ejabberdctl ++ [ -d $(BINDIR) ] || install -d -m 755 $(BINDIR) ++ install -m 755 $(G_USER) ejabberdctl.example $(BINDIR)/ejabberdctl + # + # Init script +- sed -e "s*@ctlscriptpath@*$(SBINDIR)*" \ ++ sed -e "s*@ctlscriptpath@*$(BINDIR)*" \ + -e "s*@installuser@*$(INIT_USER)*" ejabberd.init.template \ + > ejabberd.init + chmod 755 ejabberd.init +@@ -273,7 +273,7 @@ install: all + uninstall: uninstall-binary + + uninstall-binary: +- rm -f $(SBINDIR)/ejabberdctl ++ rm -f $(BINDIR)/ejabberdctl + rm -fr $(DOCDIR) + rm -f $(BEAMDIR)/*.beam + rm -f $(BEAMDIR)/*.app +-- +1.8.3.1 + diff --git a/ejabberd.spec b/ejabberd.spec index 2994ccb..0da7471 100644 --- a/ejabberd.spec +++ b/ejabberd.spec @@ -1,10 +1,11 @@ -%global realname ejabberd -%global upstream processone -%global git_tag 5feeacf -%global patchnumber 0 - - %global _hardened_build 1 +# FIXME non-standard directory for storing *.so objects +%{?filter_setup: +%filter_provides_in %{_libdir}/ejabberd/priv/lib/.*\.so$ +%filter_setup +} +%{expand: %(NIF_VER=`rpm -q erlang-erts --provides | grep --color=no erl_nif_version` ; if [ "$NIF_VER" != "" ]; then echo %%global __erlang_nif_version $NIF_VER ; fi)} +%{expand: %(DRV_VER=`rpm -q erlang-erts --provides | grep --color=no erl_drv_version` ; if [ "$DRV_VER" != "" ]; then echo %%global __erlang_drv_version $DRV_VER ; fi)} # Currently, hevea available only in Fedora @@ -12,24 +13,26 @@ %ifarch %{power64} s390 s390x sparc64 # No hevea for these architectures # see https://bugzilla.redhat.com/bugzilla/250253 -%global with_hevea 0 +%global _with_hevea 0 %else -# Hevea is deadly broken currently -%global with_hevea 0 +# FIXME Hevea is deadly broken currently +%global _with_hevea 0 %endif %endif Name: ejabberd Version: 2.1.13 -Release: 4%{?dist} +Release: 6%{?dist} Summary: A distributed, fault-tolerant Jabber/XMPP server Group: Applications/Internet License: GPLv2+ URL: http://www.ejabberd.im/ -# wget --content-disposition https://github.com/processone/ejabberd/tarball/v2.1.13 -Source0: %{upstream}-%{realname}-v%{version}-%{patchnumber}-g%{git_tag}.tar.gz +%if 0%{?el7}%{?fedora} +VCS: scm:git:https://github.com/processone/ejabberd.git +%endif +Source0: https://github.com/processone/%{name}/archive/v%{version}/%{name}-v%{version}.tar.gz Source1: ejabberd.init Source2: ejabberd.logrotate Source3: ejabberd.sysconfig @@ -45,8 +48,8 @@ Source11: ejabberd.pam # usermode support for old systems Source10: ejabberdctl.apps # polkit support -Source12: ejabberdctl.polkit.rules -Source13: ejabberdctl.sh +Source12: ejabberdctl.polkit.actions +Source13: ejabberdctl.polkit.rules # Use ejabberd as an example for PAM service name (fedora/epel-specific) Patch1: ejabberd-0001-Fix-PAM-service-example-name-to-match-actual-one.patch @@ -64,6 +67,10 @@ Patch6: ejabberd-0006-Support-SASL-GSSAPI-authentication-thanks-to-Mikael-.patch Patch7: ejabberd-0007-Disable-INET_DIST_INTERFACE-by-default.patch # Don't try to make system-wide scripts unreadable for users (fedora/epel-specific) Patch8: ejabberd-0008-Clean-up-false-security-measure.patch +# polkit support +Patch9: ejabberd-0009-Enable-polkit-support.patch +# polkit support +Patch10:ejabberd-0010-Install-into-BINDIR-instead-of-SBINDIR.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -71,7 +78,7 @@ BuildRequires: expat-devel BuildRequires: openssl-devel >= 0.9.8 BuildRequires: pam-devel BuildRequires: erlang -%if 0%{?with_hevea} +%if 0%{?_with_hevea} BuildRequires: hevea BuildRequires: texlive BuildRequires: texlive-comment @@ -137,6 +144,7 @@ Requires: polkit %endif # for flock in ejabberdctl Requires: util-linux +%{?__erlang_drv_version:Requires: %{__erlang_drv_version}} %description @@ -159,7 +167,7 @@ Group: Documentation Documentation for ejabberd. %prep -%setup -q -n %{upstream}-%{realname}-2ed62dc +%setup -q %patch1 -p1 -b .pam_name %patch2 -p1 -b .s2s_delays @@ -169,6 +177,10 @@ Documentation for ejabberd. %patch6 -p1 -b .gssapi %patch7 -p1 -b .disable_ip_restriction_for_ejabberdctl %patch8 -p1 -b .dont_hide +%if 0%{?el7}%{?fedora} +%patch9 -p1 -b .use_polkit +%patch10 -p1 -b .usr_bin +%endif %build @@ -178,7 +190,7 @@ autoreconf -ivf # doesn't build on SMP currently make popd -%if 0%{?with_hevea} +%if 0%{?_with_hevea} pushd doc # remove pre-built docs rm -f dev.html features.html features.pdf guide.html guide.pdf @@ -245,9 +257,9 @@ mkdir -p %{buildroot}%{_bindir} ln -s consolehelper %{buildroot}%{_bindir}/ejabberdctl install -D -p -m 0644 %{S:10} %{buildroot}%{_sysconfdir}/security/console.apps/ejabberdctl %else -# Install polkit file -install -D -p -m 0644 %{S:12} %{buildroot}%{_datadir}/polkit-1/rules.d/51-ejabberdctl.rules -install -D -p -m 0755 %{S:13} %{buildroot}%{_bindir}/ejabberdctl +# Use polkit +install -D -p -m 0644 %{S:12} %{buildroot}%{_datadir}/polkit-1/actions/ejabberdctl.policy +install -D -p -m 0644 %{S:13} %{buildroot}%{_datadir}/polkit-1/rules.d/51-ejabberdctl.rules %endif # Remove installed doc-files @@ -370,12 +382,13 @@ rm -rf %{buildroot} %config(noreplace) %{_sysconfdir}/pam.d/%{name} %config(noreplace) %{_sysconfdir}/pam.d/ejabberdctl %if 0%{?el5}%{?el6} +%{_sbindir}/ejabberdctl %config(noreplace) %{_sysconfdir}/security/console.apps/ejabberdctl %else +%{_datadir}/polkit-1/actions/ejabberdctl.policy %{_datadir}/polkit-1/rules.d/51-ejabberdctl.rules %endif %{_bindir}/ejabberdctl -%{_sbindir}/ejabberdctl %dir %{_libdir}/%{name} %dir %{_libdir}/%{name}/ebin @@ -434,13 +447,20 @@ rm -rf %{buildroot} %files doc %doc doc/*.html %doc doc/*.png -%if 0%{?with_hevea} +%if 0%{?_with_hevea} %doc doc/*.pdf %endif %doc doc/*.txt %changelog +* Sat Oct 26 2013 Peter Lemenkov <lemenkov@gmail.com> - 2.1.13-6 +- Fix polkit again +- Add dependency on Erlang's driver version + +* Fri Sep 27 2013 Peter Lemenkov <lemenkov@gmail.com> - 2.1.13-5 +- Fix wrong polkit policy (rhbz #1009408) + * Sun Sep 15 2013 Peter Lemenkov <lemenkov@gmail.com> - 2.1.13-4 - Use polkit instead of usermode on modern systems - Restore user/group provides diff --git a/ejabberdctl.polkit.actions b/ejabberdctl.polkit.actions new file mode 100644 index 0000000..f3ef4f4 --- /dev/null +++ b/ejabberdctl.polkit.actions @@ -0,0 +1,17 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE policyconfig PUBLIC + "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" + "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd"> +<policyconfig> + <action id="ejabberd.ejabberdctl.run"> + <_description>Run ejabberd control script</_description> + <_message>Authentication is required for running ejabberdctl</_message> + <defaults> + <allow_any>no</allow_any> + <allow_inactive>auth_self</allow_inactive> + <allow_active>auth_self</allow_active> + </defaults> + <annotate key="org.freedesktop.policykit.exec.path">/bin/sh</annotate> + <annotate key="org.freedesktop.policykit.exec.argv1">/usr/bin/ejabberdctl</annotate> + </action> +</policyconfig> diff --git a/ejabberdctl.polkit.rules b/ejabberdctl.polkit.rules index 1037d3a..cf899b5 100644 --- a/ejabberdctl.polkit.rules +++ b/ejabberdctl.polkit.rules @@ -1,9 +1,4 @@ polkit.addRule(function(action, subject) { - var CommandLine = action.lookup("command_line").split(" "); - if (action.id == "org.freedesktop.policykit.exec" && (CommandLine[0] == "/sbin/ejabberdctl" || CommandLine[0] == "/usr/sbin/ejabberdctl")){ - if(subject.isInGroup("ejabberd")) - return polkit.Result.YES; - else - return polkit.Result.NO; - } + if ((action.id == "ejabberd.ejabberdctl.run") && (subject.isInGroup("ejabberd"))) + return polkit.Result.YES; }); diff --git a/ejabberdctl.sh b/ejabberdctl.sh deleted file mode 100644 index 92a0519..0000000 --- a/ejabberdctl.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -/usr/bin/pkexec /usr/sbin/ejabberdctl "$@" @@ -1 +1 @@ -ed78ba6f50d3e2695234ace534e4a932 processone-ejabberd-v2.1.13-0-g5feeacf.tar.gz +2a7c3b711b4f7091f811c51b52beb735 ejabberd-v2.1.13.tar.gz |