[ejabberd] epam issue

Dennis Schridde devurandom at gmx.net
Tue Feb 21 17:23:06 MSK 2012


Hello list, hello Holger!

Am Dienstag, 21. Februar 2012, 12:47:03 schrieb Holger Mickler:
> for any file to be executed, you need to be able to read it (what would you
> want to execute?)
> -> members of the "jabber" group cannot execute the file because they are
> not allowed to read its contents.
Afaik this is not true. The kernel is the one who initiates the execution 
(unless you do some mmap magic and jump into the executable yourself - no idea 
whether anyone actually does such stuff), instructed by the application via 
the execve syscall and similar. For that it just checks the executable 
permisson - the application does not need to read the file.

> So maybe chmod g+r epam fixes your problem?
setuid files (like epam here) don't have that bit set for security reasons.
(I assume the idea behind that being: The file runs as root - if you could 
read it, you could analyse it and find weaknesses.)

Additionally this would not explain why
# su jabber -p -c /usr/lib/erlang/lib/ejabberd-2.1.10/priv/bin/epam
produces no error.

Kind regards and thanks for everyone's tips and ideas,
Dennis

> On 21.02.2012 12:07, Dennis Schridde wrote:
> > Hello!
> > 
> > Am Dienstag, 21. Februar 2012, 02:03:04 schrieb CGS:
> >> Did you check the permissions/privileges to match for both? That's
> >> because
> >> I noticed you used "su" + command to execute it and you didn't mention
> >> how
> >> you started Ejabberd.
> > 
> > I assume ejabberd is normally supposed to start epam itself? Or should I
> > really start it myself, as I did for testing only?
> > 
> > Anyway, these are the permissions for epam:
> > -rws--x--- 1 root jabber 103288 Jan 31 17:13
> > /usr/lib/erlang/lib/ejabberd-2.1.10/priv/bin/epam
> > 
> > ejabberd is being started as user jabber which belongs to group jabber -
> > that's what /usr/sbin/ejabberdctl says at least.
> > 
> > If I read src/pam/epam.erl:init correctly, it should probably warn if it
> > cannot open the file, right?
> > 
> > Kind regards,
> > Dennis
> > 
> > P.S: I am now subscribed to the list.
> > 
> >> On Tue, Feb 21, 2012 at 1:09 AM, Dennis Schridde <devurandom at gmx.net> 
wrote:
> >>> Hello everyone!
> >>> 
> >>> I am currently unable to start ejabberd, but I do not understand the
> >>> reason.
> >>> It appears to be epam which cannot be started.
> >>> 
> >>> /usr/lib/erlang/lib/ejabberd-2.1.10/priv/bin/epam exists and can be
> >>> executed
> >>> by root and by jabber via "su jabber -p -c ". It does not generate any
> >>> output,
> >>> open a network socket or any other obvious means of interaction, though.
> >>> 
> >>> I also checked ejabberd:get_bin_path() and it points to the correct
> >>> path.
> >>> 
> >>> It would be nice if someone could give me a hint at what is going wrong
> >>> here.
> >>> 
> >>> Thanks,
> >>> Dennis
> >>> 
> >>> 
> >>> _______________________________________________
> >>> ejabberd mailing list
> >>> ejabberd at jabber.ru
> >>> http://lists.jabber.ru/mailman/listinfo/ejabberd
> 
> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.jabber.ru/pipermail/ejabberd/attachments/20120221/a29de89f/attachment.bin>


More information about the ejabberd mailing list