Jabber Server?
Enrico Scholz
enrico.scholz at informatik.tu-chemnitz.de
Tue Mar 29 15:37:48 UTC 2005
adrian at lisas.de (Adrian Reber) writes:
>> * /usr/bin/c2s is packaged SUID root... is this really needed, especially
>> because gcc4 gives out a lot of warnings and the code is not trivial
> ...
> I am ready for another review. The only thing from this list I have not
> changed is the SUID binary because I need it so that it works with pam
> authentication.
I think, that the current SUID binary is unacceptable. I see the following
options (in order of precedence):
* ignore faults with /etc/shadow (errors will occur only in this
setup). IMO it is very uncommon to do user-accounting for such
services in this file; most people will use a regular database or
ldap.
* start the c2s server as root. afais, the SUID is only needed because
you start the daemon with
| daemon --user jabber ...
~~~~~~~~~~~~~
Omitting this, would execute the daemon with the rights of the caller
('root' in this case).
* when you REALLY need the SUID thing, then set more secure attributes
like
| %attr(4710, root, jabber) %{_bindir}/c2s
instead of
| %attr(4755, root, root) %{_bindir}/c2s
But this is really just a last resort
Enrico
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 480 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-extras-list/attachments/20050329/c27d9f97/attachment.sig>
More information about the fedora-extras-list
mailing list