Jabber Server?

Enrico Scholz enrico.scholz at informatik.tu-chemnitz.de
Tue Mar 29 15:37:48 UTC 2005

adrian at lisas.de (Adrian Reber) writes:

>> * /usr/bin/c2s is packaged SUID root... is this really needed, especially
>>   because gcc4 gives out a lot of warnings and the code is not trivial
> ...
> I am ready for another review. The only thing from this list I have not
> changed is the SUID binary because I need it so that it works with pam
> authentication.

I think, that the current SUID binary is unacceptable. I see the following
options (in order of precedence):

* ignore faults with /etc/shadow (errors will occur only in this
  setup). IMO it is very uncommon to do user-accounting for such
  services in this file; most people will use a regular database or

* start the c2s server as root. afais, the SUID is only needed because
  you start the daemon with

  | daemon --user jabber ...

  Omitting this, would execute the daemon with the rights of the caller
  ('root' in this case).

* when you REALLY need the SUID thing, then set more secure attributes

  | %attr(4710, root, jabber) %{_bindir}/c2s

  instead of

  | %attr(4755, root, root) %{_bindir}/c2s

  But this is really just a last resort

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 480 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-extras-list/attachments/20050329/c27d9f97/attachment.sig>

More information about the fedora-extras-list mailing list