Re: Adding a PAM config option to net-im/ejabberd
Lawrence Stewart writes: > On 01/31/11 13:09, Ashish SHUKLA wrote: >> Lawrence Stewart writes: >>> On 01/31/11 00:45, Ashish SHUKLA wrote: Hi Lawrence, Lawrence Stewart writes: > Hi Ashish, > What do you think about applying the attached patch to the ejabberd > port? It installs some parts required to allow ejabberd to auth against > PAM and is working great for me. Sure, I can apply it, once ports freeze is over. I also need to update ejabberd. I'll do both together. >> >>> Sounds good, thanks. One question: in order to get PAM auth working, you >>> have to set uid root on the epam bits and chown them appropriately in >>> order to allow things to work. Should the port installation process do >>> these steps as well or should we leave them to the user? I would be >>> inclined to have the port do them so that upgrading the port doesn't >>> break PAM auth after the upgrade. We would want to print a big warning >>> at the end of the port install about the set uid security aspects though. >> >> Thanks for the mention, I suggest adding mention of setuid bit in the >> description of the OPTION. And ofcourse port is going to set the setuid bit >> during installation. >> >> And `security-check' target in bsd.port.mk will catch the setuid bit set on >> the installed executable, and will inform the user as well. So, adding a >> warning about setuid bit be redundant, IMHO. > Updated patch attached. Feel like committing it for me? Sure. I'm doing an update to 2.1.6 this week, and will include your diff. Thanks -- Ashish SHUKLA | GPG: F682 CDCC 39DC 0FEA E116 20B6 C746 CFA9 E74F A4B0 freebsd.org!ashish | http://people.freebsd.org/~ashish/ Avoid Success At All Costs !! pgpgbgrX8nSwe.pgp Description: PGP signature
Re: Adding a PAM config option to net-im/ejabberd
On 01/31/11 13:09, Ashish SHUKLA wrote: > Lawrence Stewart writes: >> On 01/31/11 00:45, Ashish SHUKLA wrote: >>> Hi Lawrence, >>> >>> Lawrence Stewart writes: Hi Ashish, >>> What do you think about applying the attached patch to the ejabberd port? It installs some parts required to allow ejabberd to auth against PAM and is working great for me. >>> >>> Sure, I can apply it, once ports freeze is over. I also need to update >>> ejabberd. I'll do both together. > >> Sounds good, thanks. One question: in order to get PAM auth working, you >> have to set uid root on the epam bits and chown them appropriately in >> order to allow things to work. Should the port installation process do >> these steps as well or should we leave them to the user? I would be >> inclined to have the port do them so that upgrading the port doesn't >> break PAM auth after the upgrade. We would want to print a big warning >> at the end of the port install about the set uid security aspects though. > > Thanks for the mention, I suggest adding mention of setuid bit in the > description of the OPTION. And ofcourse port is going to set the setuid bit > during installation. > > And `security-check' target in bsd.port.mk will catch the setuid bit set on > the installed executable, and will inform the user as well. So, adding a > warning about setuid bit be redundant, IMHO. Updated patch attached. Feel like committing it for me? Cheers, Lawrence --- Makefile.orig 2010-10-25 08:55:04.0 +1100 +++ Makefile2011-03-06 14:47:27.0 +1100 @@ -23,7 +23,8 @@ USE_RC_SUBR= ${PORTNAME} NOPRECIOUSMAKEVARS=yes -OPTIONS= ODBC"Enable ODBC support" off +OPTIONS= ODBC"Enable ODBC support" off \ + PAM "Enable setuid PAM auth support"off MAKE_ENV= PORTVERSION=${PORTVERSION} CONFIGURE_ARGS+=--localstatedir=/var @@ -55,6 +56,13 @@ PLIST_SUB+=ODBC="@comment " .endif +.if defined(WITH_PAM) +CONFIGURE_ARGS+=--enable-pam +PLIST_SUB+=PAM="" +.else +PLIST_SUB+=PAM="@comment " +.endif + .if defined(NOPORTDOCS) MAKE_ARGS+=NOPORTDOCS=${NOPORTDOCS} .endif @@ -67,6 +75,12 @@ ${FIND} ${PREFIX}/lib/erlang/lib/${DISTNAME} -type f -print0 | ${XARGS} -0 ${CHMOD} ${SHAREMODE} ${FIND} ${PREFIX}/lib/erlang/lib/${DISTNAME} -type f -print0 | ${XARGS} -0 ${CHOWN} ${SHAREOWN}:${SHAREGRP} +.if defined(WITH_PAM) + ${CHMOD} 4750 ${PREFIX}/lib/erlang/lib/${DISTNAME}/priv/bin/epam + ${CHOWN} root:ejabberd ${PREFIX}/lib/erlang/lib/${DISTNAME}/priv/bin/epam + ${INSTALL} -m 444 ${FILESDIR}/pam_ejabberd ${PREFIX}/etc/pam.d/ejabberd +.endif + @${CAT} ${PKGMESSAGE} .include --- pkg-plist.orig 2010-10-01 02:22:15.0 +1000 +++ pkg-plist 2011-03-06 14:16:50.0 +1100 @@ -58,6 +58,9 @@ %%ODBC%%lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/%%PORTNAME%%_odbc.beam %%ODBC%%lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/%%PORTNAME%%_odbc_sup.beam %%ODBC%%lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/odbc_queries.beam +%%PAM%%lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/epam.beam +%%PAM%%lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/priv/bin/epam +%%PAM%%etc/pam.d/ejabberd lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/dynamic_compile.beam lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/ejabberd_captcha.beam lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/ejabberd_commands.beam --- files/pam_ejabberd.orig 2011-03-06 13:00:15.0 +1100 +++ files/pam_ejabberd 2011-03-06 14:45:11.0 +1100 @@ -0,0 +1,6 @@ +# +# PAM configuration for the "ejabberd" service +# + +# auth +auth requiredpam_unix.so no_warn try_first_pass ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Adding a PAM config option to net-im/ejabberd
Lawrence Stewart writes: > On 01/31/11 00:45, Ashish SHUKLA wrote: >> Hi Lawrence, >> >> Lawrence Stewart writes: >>> Hi Ashish, >> >>> What do you think about applying the attached patch to the ejabberd >>> port? It installs some parts required to allow ejabberd to auth against >>> PAM and is working great for me. >> >> Sure, I can apply it, once ports freeze is over. I also need to update >> ejabberd. I'll do both together. > Sounds good, thanks. One question: in order to get PAM auth working, you > have to set uid root on the epam bits and chown them appropriately in > order to allow things to work. Should the port installation process do > these steps as well or should we leave them to the user? I would be > inclined to have the port do them so that upgrading the port doesn't > break PAM auth after the upgrade. We would want to print a big warning > at the end of the port install about the set uid security aspects though. Thanks for the mention, I suggest adding mention of setuid bit in the description of the OPTION. And ofcourse port is going to set the setuid bit during installation. And `security-check' target in bsd.port.mk will catch the setuid bit set on the installed executable, and will inform the user as well. So, adding a warning about setuid bit be redundant, IMHO. Thanks -- Ashish SHUKLA “She dump(8)-ed me without caring to restore(8).” (abbe, 2005) pgp8MlnWk0PKc.pgp Description: PGP signature
Re: Adding a PAM config option to net-im/ejabberd
On 01/31/11 00:45, Ashish SHUKLA wrote: > Hi Lawrence, > > Lawrence Stewart writes: >> Hi Ashish, > >> What do you think about applying the attached patch to the ejabberd >> port? It installs some parts required to allow ejabberd to auth against >> PAM and is working great for me. > > Sure, I can apply it, once ports freeze is over. I also need to update > ejabberd. I'll do both together. Sounds good, thanks. One question: in order to get PAM auth working, you have to set uid root on the epam bits and chown them appropriately in order to allow things to work. Should the port installation process do these steps as well or should we leave them to the user? I would be inclined to have the port do them so that upgrading the port doesn't break PAM auth after the upgrade. We would want to print a big warning at the end of the port install about the set uid security aspects though. Cheers, Lawrence ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Adding a PAM config option to net-im/ejabberd
Hi Lawrence, Lawrence Stewart writes: > Hi Ashish, > What do you think about applying the attached patch to the ejabberd > port? It installs some parts required to allow ejabberd to auth against > PAM and is working great for me. Sure, I can apply it, once ports freeze is over. I also need to update ejabberd. I'll do both together. Thanks -- Ashish SHUKLA “If knowledge can create problems, it is not through ignorance that we can solve them.” (Isaac Asimov) pgpOWqWzj5YFe.pgp Description: PGP signature
Adding a PAM config option to net-im/ejabberd
Hi Ashish, What do you think about applying the attached patch to the ejabberd port? It installs some parts required to allow ejabberd to auth against PAM and is working great for me. Cheers, Lawrence --- Makefile2010-10-25 08:55:04.0 +1100 +++ Makefile.withpam2011-01-10 01:52:36.0 +1100 @@ -23,7 +23,8 @@ USE_RC_SUBR= ${PORTNAME} NOPRECIOUSMAKEVARS=yes -OPTIONS= ODBC"Enable ODBC support" off +OPTIONS= ODBC"Enable ODBC support" off \ + PAM "Enable PAM auth support" off MAKE_ENV= PORTVERSION=${PORTVERSION} CONFIGURE_ARGS+=--localstatedir=/var @@ -55,6 +56,13 @@ PLIST_SUB+=ODBC="@comment " .endif +.if defined(WITH_PAM) +CONFIGURE_ARGS+=--enable-pam +PLIST_SUB+=PAM="" +.else +PLIST_SUB+=PAM="@comment " +.endif + .if defined(NOPORTDOCS) MAKE_ARGS+=NOPORTDOCS=${NOPORTDOCS} .endif --- pkg-plist 2010-10-01 02:22:15.0 +1000 +++ pkg-plist.withpam 2011-01-10 01:50:56.0 +1100 @@ -58,6 +58,8 @@ %%ODBC%%lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/%%PORTNAME%%_odbc.beam %%ODBC%%lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/%%PORTNAME%%_odbc_sup.beam %%ODBC%%lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/odbc_queries.beam +%%PAM%%lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/epam.beam +%%PAM%%lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/priv/bin/epam lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/dynamic_compile.beam lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/ejabberd_captcha.beam lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/ejabberd_commands.beam ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"