On 01/31/11 13:09, Ashish SHUKLA wrote:
> Lawrence Stewart writes:
>> On 01/31/11 00:45, Ashish SHUKLA wrote:
>>> Hi Lawrence,
>>>
>>> Lawrence Stewart writes:
>>>> Hi Ashish,
>>>
>>>> What do you think about applying the attached patch to the ejabberd
>>>> port? It installs some parts required to allow ejabberd to auth against
>>>> PAM and is working great for me.
>>>
>>> Sure, I can apply it, once ports freeze is over. I also need to update
>>> ejabberd. I'll do both together.
>
>> Sounds good, thanks. One question: in order to get PAM auth working, you
>> have to set uid root on the epam bits and chown them appropriately in
>> order to allow things to work. Should the port installation process do
>> these steps as well or should we leave them to the user? I would be
>> inclined to have the port do them so that upgrading the port doesn't
>> break PAM auth after the upgrade. We would want to print a big warning
>> at the end of the port install about the set uid security aspects though.
>
> Thanks for the mention, I suggest adding mention of setuid bit in the
> description of the OPTION. And ofcourse port is going to set the setuid bit
> during installation.
>
> And `security-check' target in bsd.port.mk will catch the setuid bit set on
> the installed executable, and will inform the user as well. So, adding a
> warning about setuid bit be redundant, IMHO.
Updated patch attached. Feel like committing it for me?
Cheers,
Lawrence
--- Makefile.orig 2010-10-25 08:55:04.000000000 +1100
+++ Makefile 2011-03-06 14:47:27.000000000 +1100
@@ -23,7 +23,8 @@
USE_RC_SUBR= ${PORTNAME}
NOPRECIOUSMAKEVARS= yes
-OPTIONS= ODBC "Enable ODBC support" off
+OPTIONS= ODBC "Enable ODBC support" off \
+ PAM "Enable setuid PAM auth support" off
MAKE_ENV= PORTVERSION=${PORTVERSION}
CONFIGURE_ARGS+=--localstatedir=/var
@@ -55,6 +56,13 @@
PLIST_SUB+= ODBC="@comment "
.endif
+.if defined(WITH_PAM)
+CONFIGURE_ARGS+=--enable-pam
+PLIST_SUB+= PAM=""
+.else
+PLIST_SUB+= PAM="@comment "
+.endif
+
.if defined(NOPORTDOCS)
MAKE_ARGS+= NOPORTDOCS=${NOPORTDOCS}
.endif
@@ -67,6 +75,12 @@
${FIND} ${PREFIX}/lib/erlang/lib/${DISTNAME} -type f -print0 | ${XARGS}
-0 ${CHMOD} ${SHAREMODE}
${FIND} ${PREFIX}/lib/erlang/lib/${DISTNAME} -type f -print0 | ${XARGS}
-0 ${CHOWN} ${SHAREOWN}:${SHAREGRP}
+.if defined(WITH_PAM)
+ ${CHMOD} 4750 ${PREFIX}/lib/erlang/lib/${DISTNAME}/priv/bin/epam
+ ${CHOWN} root:ejabberd
${PREFIX}/lib/erlang/lib/${DISTNAME}/priv/bin/epam
+ ${INSTALL} -m 444 ${FILESDIR}/pam_ejabberd ${PREFIX}/etc/pam.d/ejabberd
+.endif
+
@${CAT} ${PKGMESSAGE}
.include <bsd.port.post.mk>
--- pkg-plist.orig 2010-10-01 02:22:15.000000000 +1000
+++ pkg-plist 2011-03-06 14:16:50.000000000 +1100
@@ -58,6 +58,9 @@
%%ODBC%%lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/%%PORTNAME%%_odbc.beam
%%ODBC%%lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/%%PORTNAME%%_odbc_sup.beam
%%ODBC%%lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/odbc_queries.beam
+%%PAM%%lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/epam.beam
+%%PAM%%lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/priv/bin/epam
+%%PAM%%etc/pam.d/ejabberd
lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/dynamic_compile.beam
lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/ejabberd_captcha.beam
lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/ejabberd_commands.beam
--- files/pam_ejabberd.orig 2011-03-06 13:00:15.000000000 +1100
+++ files/pam_ejabberd 2011-03-06 14:45:11.000000000 +1100
@@ -0,0 +1,6 @@
+#
+# PAM configuration for the "ejabberd" service
+#
+
+# auth
+auth required pam_unix.so no_warn try_first_pass
_______________________________________________
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
