Adding a PAM config option to net-im/ejabberd

Sun Mar 6 03:56:03 UTC 2011

On 01/31/11 13:09, Ashish SHUKLA wrote:
> Lawrence Stewart writes:
>> On 01/31/11 00:45, Ashish SHUKLA wrote:
>>> Hi Lawrence,
>>>
>>> Lawrence Stewart writes:
>>>> Hi Ashish,
>>>
>>>> What do you think about applying the attached patch to the ejabberd
>>>> port? It installs some parts required to allow ejabberd to auth against
>>>> PAM and is working great for me.
>>>
>>> Sure, I can apply it, once ports freeze is over. I also need to update
>>> ejabberd. I'll do both together.
> 
>> Sounds good, thanks. One question: in order to get PAM auth working, you
>> have to set uid root on the epam bits and chown them appropriately in
>> order to allow things to work. Should the port installation process do
>> these steps as well or should we leave them to the user? I would be
>> inclined to have the port do them so that upgrading the port doesn't
>> break PAM auth after the upgrade. We would want to print a big warning
>> at the end of the port install about the set uid security aspects though.
> 
> Thanks for the mention, I suggest adding mention of setuid bit in the
> description of the OPTION. And ofcourse port is going to set the setuid bit
> during installation.
> 
> And `security-check' target in bsd.port.mk will catch the setuid bit set on
> the installed executable, and will inform the user as well. So, adding a
> warning about setuid bit be redundant, IMHO.

Updated patch attached. Feel like committing it for me?

Cheers,
Lawrence
-------------- next part --------------

--- Makefile.orig	2010-10-25 08:55:04.000000000 +1100
+++ Makefile	2011-03-06 14:47:27.000000000 +1100
@@ -23,7 +23,8 @@
 USE_RC_SUBR=	${PORTNAME}
 NOPRECIOUSMAKEVARS=	yes
 
-OPTIONS=	ODBC	"Enable ODBC support"		off
+OPTIONS=	ODBC	"Enable ODBC support"			off \
+		PAM	"Enable setuid PAM auth support"	off
 
 MAKE_ENV=	PORTVERSION=${PORTVERSION}
 CONFIGURE_ARGS+=--localstatedir=/var
@@ -55,6 +56,13 @@
 PLIST_SUB+=	ODBC="@comment "
 .endif
 
+.if defined(WITH_PAM)
+CONFIGURE_ARGS+=--enable-pam
+PLIST_SUB+=	PAM=""
+.else
+PLIST_SUB+=	PAM="@comment "
+.endif
+
 .if defined(NOPORTDOCS)
 MAKE_ARGS+=	NOPORTDOCS=${NOPORTDOCS}
 .endif
@@ -67,6 +75,12 @@
 	${FIND} ${PREFIX}/lib/erlang/lib/${DISTNAME} -type f -print0 | ${XARGS} -0 ${CHMOD} ${SHAREMODE}
 	${FIND} ${PREFIX}/lib/erlang/lib/${DISTNAME} -type f -print0 | ${XARGS} -0 ${CHOWN} ${SHAREOWN}:${SHAREGRP}
 
+.if defined(WITH_PAM)
+	${CHMOD} 4750 ${PREFIX}/lib/erlang/lib/${DISTNAME}/priv/bin/epam
+	${CHOWN} root:ejabberd ${PREFIX}/lib/erlang/lib/${DISTNAME}/priv/bin/epam
+	${INSTALL} -m 444 ${FILESDIR}/pam_ejabberd ${PREFIX}/etc/pam.d/ejabberd
+.endif
+
 	@${CAT} ${PKGMESSAGE}
 
 .include <bsd.port.post.mk>
--- pkg-plist.orig	2010-10-01 02:22:15.000000000 +1000
+++ pkg-plist	2011-03-06 14:16:50.000000000 +1100
@@ -58,6 +58,9 @@
 %%ODBC%%lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/%%PORTNAME%%_odbc.beam
 %%ODBC%%lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/%%PORTNAME%%_odbc_sup.beam
 %%ODBC%%lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/odbc_queries.beam
+%%PAM%%lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/epam.beam
+%%PAM%%lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/priv/bin/epam
+%%PAM%%etc/pam.d/ejabberd
 lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/dynamic_compile.beam
 lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/ejabberd_captcha.beam
 lib/erlang/lib/%%PORTNAME%%-%%PORTVERSION%%/ebin/ejabberd_commands.beam
--- files/pam_ejabberd.orig	2011-03-06 13:00:15.000000000 +1100
+++ files/pam_ejabberd	2011-03-06 14:45:11.000000000 +1100
@@ -0,0 +1,6 @@
+#
+# PAM configuration for the "ejabberd" service
+#
+
+# auth
+auth		required	pam_unix.so		no_warn try_first_pass
