https://bugzilla.redhat.com/show_bug.cgi?id=1094143

--- Comment #1 from Fedora End Of Life endoflife@fedoraproject.org --- This message is a reminder that Fedora 20 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 20. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '20'.

Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 20 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.

https://bugzilla.redhat.com/show_bug.cgi?id=1094143

Peter Lemenkov lemenkov@gmail.com changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |NEW Resolution|EOL |--- Keywords| |Reopened

--- Comment #3 from Peter Lemenkov lemenkov@gmail.com --- We should review polkit rules again.

https://bugzilla.redhat.com/show_bug.cgi?id=1094143

Randy Barlow randy@electronsweatshop.com changed:

What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(lemenkov@gmail.co | |m)

--- Comment #5 from Randy Barlow randy@electronsweatshop.com --- The /usr/share/polkit-1/actions/ejabberdctl.policy file does have allow_any set to no, but it also has allow_inactive and allow_active set to auth_self. By my reading of some Arch documentation[0] I found about policykit, this means that ssh and physical users should both have to authenticate to run ejabberdctl. Setting one or both of those values to yes would allow those users to execute the command without authenticating.

In either case, even the root user cannot meaningfully use ejabberdctl without being the ejabberd user, as there is a /var/lib/ejabberd/.erlang.cookie file that is needed to connect to the running ejabberd daemon. Since that file isn't in the root user's home folder, it is not found. When I use the utility on my own system, I typically have to do something like this:

sudo -u ejabberd /bin/sh /usr/bin/ejabberdctl <command>

Peter, do you know a way to work around that so that any properly authenticated user (root, me, etc.) can find that .erlang.cookie file automatically? I found some documentation that seems to indicate that the cookie is searched for at $HOME[1], and it suggests that copying the cookie to other places might be a reasonable way to proceed. There is also a -setcookie parameter for /usr/bin/erl, but I think it might not be related to the path of the cookie but rather its value.

If we can't have a way for other users (including root) to be able to access this cookie, it seems to me that having a policykit policy at all does not make much sense since the ejabberdctl has to always be run as the user that started the daemon. That is, unless users know to copy that cookie around, in which case they should also know they could write their own policykit rules (or use sudo).

What do you think?

[0] https://wiki.archlinux.org/index.php/Polkit#Actions [1] http://erlang.org/doc/reference_manual/distributed.html#id88336 [2] http://erlang.org/doc/man/erl.html

https://bugzilla.redhat.com/show_bug.cgi?id=1094143

--- Comment #7 from Kevin Kofler kevin@tigcc.ticalc.org --- AIUI, allow_active and allow_inactive are both only for local sessions, active if that's the session currently being displayed on the screen, inactive if it is in the background (think user switching). SSH sessions are allow_any.

Also, defaulting to auth_self is very useless, because it allows any local user to run the daemon! This needs to be set to auth_admin (which will allow their own password only to wheel users, the others need the root password).

https://bugzilla.redhat.com/show_bug.cgi?id=1094143

Randy Barlow randy@electronsweatshop.com changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Assignee|lemenkov@gmail.com |randy@electronsweatshop.com Flags|needinfo?(lemenkov@gmail.co | |m) |

--- Comment #9 from Randy Barlow randy@electronsweatshop.com --- I'm going to adjust all three to be auth_admin.

https://bugzilla.redhat.com/show_bug.cgi?id=1094143

--- Comment #10 from Fedora Update System updates@fedoraproject.org --- ejabberd-16.09-5.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5d9f0a5954

https://bugzilla.redhat.com/show_bug.cgi?id=1094143

Fedora Update System updates@fedoraproject.org changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|MODIFIED |ON_QA

--- Comment #11 from Fedora Update System updates@fedoraproject.org --- ejabberd-16.09-5.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5d9f0a5954