diff options
author | Randy Barlow <randy@electronsweatshop.com> | 2016-12-01 11:39:45 -0500 |
---|---|---|
committer | Randy Barlow <randy@electronsweatshop.com> | 2016-12-01 11:39:45 -0500 |
commit | a371d5c070eed365bbcdf2ffc346b6456084ff48 (patch) | |
tree | 82e0c25f43a2ce43692b284216516a4c05ccc966 | |
parent | 4c04c7f3dd9516be42c060f4c250aa15687712f3 (diff) | |
download | ejabberd-a371d5c070eed365bbcdf2ffc346b6456084ff48.tar.gz ejabberd-a371d5c070eed365bbcdf2ffc346b6456084ff48.tar.xz ejabberd-a371d5c070eed365bbcdf2ffc346b6456084ff48.zip |
Drop the use of -set-cookie since it is unsafe.
Also, configure the ejabberdctl script to set INSTALLUSER so it
uses su to be ejabberd (#1163812).
-rw-r--r-- | ejabberd-0005-Use-set-cookie-when-running-erl-in-ejabberdctl.templ.patch | 46 | ||||
-rw-r--r-- | ejabberd-0005-ejabberdctl-should-not-try-to-create-the-ejabberd-us.patch | 33 | ||||
-rw-r--r-- | ejabberd.spec | 17 |
3 files changed, 44 insertions, 52 deletions
diff --git a/ejabberd-0005-Use-set-cookie-when-running-erl-in-ejabberdctl.templ.patch b/ejabberd-0005-Use-set-cookie-when-running-erl-in-ejabberdctl.templ.patch deleted file mode 100644 index e6ef8e9..0000000 --- a/ejabberd-0005-Use-set-cookie-when-running-erl-in-ejabberdctl.templ.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 42ed5993d433a2aa12239d9ea8004016ca3df6c5 Mon Sep 17 00:00:00 2001 -From: Randy Barlow <randy@electronsweatshop.com> -Date: Sun, 27 Nov 2016 11:49:19 -0500 -Subject: [PATCH] Use -set-cookie when running erl in ejabberdctl.template. - -This patch converts the ejabberdctl.template to use erl's --set-cookie option when an .erlang.cookie file is found in -$SPOOL_DIR. This will help for installations where ejabberd might -be started by one user, but ejabberdctl might be used by a -different user to manage it. For example, in Fedora ejabberd is -launched by systemd as the ejabberd user, but users might want to -use "sudo ejabberdctl" to manage the node. ---- - ejabberdctl.template | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/ejabberdctl.template b/ejabberdctl.template -index 5b34ebe..7d1ab00 100755 ---- a/ejabberdctl.template -+++ b/ejabberdctl.template -@@ -96,6 +96,13 @@ ERL_INETRC=$ETC_DIR/inetrc - MNESIA_OPTS="-mnesia dir \"\\\"$SPOOL_DIR\\\"\" $MNESIA_OPTIONS" - # define erl parameters - ERLANG_OPTS="+K $POLL -smp $SMP +P $ERL_PROCESSES $ERL_OPTIONS" -+ -+# Determine if the .erlang.cookie file is present or not, and use -setcookie if it is -+if [ -f "$SPOOL_DIR/.erlang.cookie" ] ; then -+ ERLANG_COOKIE=$(cat "$SPOOL_DIR/.erlang.cookie") -+ ERLANG_OPTS+=" -setcookie $ERLANG_COOKIE" -+fi -+ - KERNEL_OPTS="" - if [ "$FIREWALL_WINDOW" != "" ] ; then - KERNEL_OPTS="${KERNEL_OPTS} -kernel inet_dist_listen_min ${FIREWALL_WINDOW%-*} inet_dist_listen_max ${FIREWALL_WINDOW#*-}" -@@ -360,7 +367,7 @@ ctl() - { - NID=$(uid ctl) - CMD="`shell_escape \"$ERL\" \"$NAME\" \"$NID\"` \ -- -noinput -hidden $KERNEL_OPTS -s ejabberd_ctl \ -+ -noinput -hidden $KERNEL_OPTS $ERLANG_OPTS -s ejabberd_ctl \ - -extra `shell_escape \"$ERLANG_NODE\"` $EJABBERD_NO_TIMEOUT \ - `shell_escape \"$@\"`" - $EXEC_CMD "$CMD" --- -2.10.2 - diff --git a/ejabberd-0005-ejabberdctl-should-not-try-to-create-the-ejabberd-us.patch b/ejabberd-0005-ejabberdctl-should-not-try-to-create-the-ejabberd-us.patch new file mode 100644 index 0000000..70cf833 --- /dev/null +++ b/ejabberd-0005-ejabberdctl-should-not-try-to-create-the-ejabberd-us.patch @@ -0,0 +1,33 @@ +From ce75f79ee70af1b43beb1a00e5501dbdc5532cc3 Mon Sep 17 00:00:00 2001 +From: Randy Barlow <randy@electronsweatshop.com> +Date: Thu, 1 Dec 2016 10:58:59 -0500 +Subject: [PATCH] ejabberdctl should not try to create the ejabberd user's + home. + +Also, explicitly use bash as the shell when using su to be the +ejabberd user. +--- + ejabberdctl.template | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/ejabberdctl.template b/ejabberdctl.template +index 5b34ebe..00e4113 100755 +--- a/ejabberdctl.template ++++ b/ejabberdctl.template +@@ -22,12 +22,7 @@ if [ "$INSTALLUSER" != "" ] ; then + EXEC_CMD="false" + for GID in `id -G`; do + if [ $GID -eq 0 ] ; then +- INSTALLUSER_HOME=$(getent passwd "$INSTALLUSER" | cut -d: -f6) +- if [ -n "$INSTALLUSER_HOME" ] && [ ! -d "$INSTALLUSER_HOME" ] ; then +- mkdir -p "$INSTALLUSER_HOME" +- chown "$INSTALLUSER" "$INSTALLUSER_HOME" +- fi +- EXEC_CMD="su $INSTALLUSER -c" ++ EXEC_CMD="su $INSTALLUSER -s /usr/bin/bash -c" + fi + done + if [ `id -g` -eq `id -g $INSTALLUSER` ] ; then +-- +2.10.2 + diff --git a/ejabberd.spec b/ejabberd.spec index 2d30c57..69111b8 100644 --- a/ejabberd.spec +++ b/ejabberd.spec @@ -5,7 +5,7 @@ Name: ejabberd Version: 16.09 -Release: 3%{?dist} +Release: 4%{?dist} Summary: A distributed, fault-tolerant Jabber/XMPP server License: GPLv2+ @@ -35,9 +35,10 @@ Patch2: ejabberd-0002-Enable-polkit-support.patch Patch3: ejabberd-0003-Install-into-BINDIR-instead-of-SBINDIR.patch # Fedora-specific Patch4: ejabberd-0004-Enable-systemd-notification-if-available.patch -# Use -set-cookie to allow non-ejabberd users (such as root) to also run ejabberdctl. -# This patch was submitted upstream at https://github.com/processone/ejabberd/pull/1395 -Patch5: ejabberd-0005-Use-set-cookie-when-running-erl-in-ejabberdctl.templ.patch +# Patch the ejabberdctl script to su with bash when run as root. Also patch out +# code that tries to create the ejabberd user's home folder since that's the +# RPM's job. +Patch5: ejabberd-0005-ejabberdctl-should-not-try-to-create-the-ejabberd-us.patch BuildRequires: elixir >= 1.2.6 BuildRequires: erlang-cache_tab >= 1.0.4 @@ -106,7 +107,7 @@ Windows NT/2000/XP). %patch2 -p1 -b .use_polkit %patch3 -p1 -b .use_bindir %patch4 -p1 -b .enable_sd_notify -%patch5 -p1 -b .set_cookie +%patch5 -p1 -b .su_with_bash %build @@ -123,7 +124,7 @@ autoreconf -ivf %{erlang_install} sed -e "s*{{rootdir}}*%{_prefix}*" \ - -e "s*{{installuser}}**" \ + -e "s*{{installuser}}*%{name}*" \ -e "s*{{bindir}}*%{_bindir}*" \ -e "s*{{libdir}}*%{_erllibdir}*" \ -e "s*{{sysconfdir}}*%{_sysconfdir}*" \ @@ -286,6 +287,10 @@ fi) %changelog +* Thu Dec 01 2016 Randy Barlow <bowlofeggs@fedoraproject.org> - 16.09-4 +- Drop the use of -set-cookie since it is unsafe. +- Configure the ejabberdctl script to set INSTALLUSER so it uses su to be ejabberd (#1163812). + * Sun Nov 27 2016 Randy Barlow <bowlofeggs@fedoraproject.org> - 16.09-3 - Use -set-cookie in ejabberdctl so root can attach to the node (#1163812). - Mark ejabberdctl as executable. |