[ejabberd] epam issue

Holger Mickler holger.mickler at tu-dresden.de
Tue Feb 21 17:54:41 MSK 2012


Ah, I see. I only did a quick test with a shell script and it would'nt work with
0710. Obviously, the interpreter needs to be able to read the contents :)

But with an ELF executable it's a different story, there 0710 suffices. Thanks
for the delight!


Another question: Have you tried installing ejabberd as the jabber user and run
from this installation to be sure that your configuration is correct?


I have ejabberd installed from the installer package and it is running under its
own user account and I am quite happy with it.
Can you tell why you need to have this setuid stuff? Does this add security?

Regards,
  Holger



On 21.02.2012 14:23, Dennis Schridde wrote:
> Hello list, hello Holger!
> 
> Am Dienstag, 21. Februar 2012, 12:47:03 schrieb Holger Mickler:
>> for any file to be executed, you need to be able to read it (what would you
>> want to execute?)
>> -> members of the "jabber" group cannot execute the file because they are
>> not allowed to read its contents.
> Afaik this is not true. The kernel is the one who initiates the execution 
> (unless you do some mmap magic and jump into the executable yourself - no idea 
> whether anyone actually does such stuff), instructed by the application via 
> the execve syscall and similar. For that it just checks the executable 
> permisson - the application does not need to read the file.
> 
>> So maybe chmod g+r epam fixes your problem?
> setuid files (like epam here) don't have that bit set for security reasons.
> (I assume the idea behind that being: The file runs as root - if you could 
> read it, you could analyse it and find weaknesses.)
> 
> Additionally this would not explain why
> # su jabber -p -c /usr/lib/erlang/lib/ejabberd-2.1.10/priv/bin/epam
> produces no error.
> 
> Kind regards and thanks for everyone's tips and ideas,
> Dennis
> 
>> On 21.02.2012 12:07, Dennis Schridde wrote:
>>> Hello!
>>>
>>> Am Dienstag, 21. Februar 2012, 02:03:04 schrieb CGS:
>>>> Did you check the permissions/privileges to match for both? That's
>>>> because
>>>> I noticed you used "su" + command to execute it and you didn't mention
>>>> how
>>>> you started Ejabberd.
>>>
>>> I assume ejabberd is normally supposed to start epam itself? Or should I
>>> really start it myself, as I did for testing only?
>>>
>>> Anyway, these are the permissions for epam:
>>> -rws--x--- 1 root jabber 103288 Jan 31 17:13
>>> /usr/lib/erlang/lib/ejabberd-2.1.10/priv/bin/epam
>>>
>>> ejabberd is being started as user jabber which belongs to group jabber -
>>> that's what /usr/sbin/ejabberdctl says at least.
>>>
>>> If I read src/pam/epam.erl:init correctly, it should probably warn if it
>>> cannot open the file, right?
>>>
>>> Kind regards,
>>> Dennis
>>>
>>> P.S: I am now subscribed to the list.
>>>
>>>> On Tue, Feb 21, 2012 at 1:09 AM, Dennis Schridde <devurandom at gmx.net> 
> wrote:
>>>>> Hello everyone!
>>>>>
>>>>> I am currently unable to start ejabberd, but I do not understand the
>>>>> reason.
>>>>> It appears to be epam which cannot be started.
>>>>>
>>>>> /usr/lib/erlang/lib/ejabberd-2.1.10/priv/bin/epam exists and can be
>>>>> executed
>>>>> by root and by jabber via "su jabber -p -c ". It does not generate any
>>>>> output,
>>>>> open a network socket or any other obvious means of interaction, though.
>>>>>
>>>>> I also checked ejabberd:get_bin_path() and it points to the correct
>>>>> path.
>>>>>
>>>>> It would be nice if someone could give me a hint at what is going wrong
>>>>> here.
>>>>>
>>>>> Thanks,
>>>>> Dennis
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> ejabberd mailing list
>>>>> ejabberd at jabber.ru
>>>>> http://lists.jabber.ru/mailman/listinfo/ejabberd
>>
>> _______________________________________________
>> ejabberd mailing list
>> ejabberd at jabber.ru
>> http://lists.jabber.ru/mailman/listinfo/ejabberd
>>
>>
>> _______________________________________________
>> ejabberd mailing list
>> ejabberd at jabber.ru
>> http://lists.jabber.ru/mailman/listinfo/ejabberd

-- 
Dipl.-Inf. Holger Mickler

Technische Universität Dresden
Center for Information Services
and High Performance Computing (ZIH)
01062 Dresden
Germany

Office:  Willers-Bau (WIL) A36
Tel.:    +49 (351) 463-37903
Fax:     +49 (351) 463-37773
E-Mail:  holger.mickler at tu-dresden.de



More information about the ejabberd mailing list