--- Comment #1 from Randy Barlow <randy(a)electronsweatshop.com> ---
Created attachment 1196590
p1_pam patch for the facl solution
One of the challenges with making this change is that there's a slight chicken
and egg problem. We need to set the epam binary to mode 4750 (we don't want
just any user executing it), which means that we want to set the group to
ejabberd so that the ejabberd user can execute it. However, this erlang-p1_pam
package is a dependency of the ejabberd package which means that the ejabberd
user/group won't exist when erlang-p1_pam is installed.
I considered having the p1_pam package create the ejabberd group if the group
doesn't already exist, and we could solve this problem that way. p1_pam is
currently only used by ejabberd so it wouldn't be that dirty. However, the
upstream package is separated from ejabberd, presumably because they want it to
be generally useful so it does seem strange for it to create an ejabberd group.
Another option is to set the epam binary mode to 4700, but then have the
ejabberd package set a facl on it that gives the ejabberd user the rx bits.
This is a little strange as well, since it also seems wrong for a package to
modify an artifact of another package.
I lean towards the facl solution, but I'm interested in hearing some input from
others. I'm attaching an extremely simple patch that would be applied to p1_pam
for the facl solution, but if we go this route there would also be a required
change to ejabberd so that it sets the ejabberd rx facl upon install.
I've also considered that perhaps it makes sense to leave this problem up to
the end user to solve, and deliver documentation about the various options. I
think I lean away from doing it this way and towards solving it automatically
through one of the above, but I thought it was worth consideration nonetheless.
You are receiving this mail because:
You are on the CC list for the bug.