Jabber Server?

[Robert Marcano]

On Tue, 2005-03-29 at 17:37 +0200, Enrico Scholz wrote:
> adrian at lisas.de (Adrian Reber) writes:
> 
> >> * /usr/bin/c2s is packaged SUID root... is this really needed, especially
> >>   because gcc4 gives out a lot of warnings and the code is not trivial
> > ...
> > I am ready for another review. The only thing from this list I have not
> > changed is the SUID binary because I need it so that it works with pam
> > authentication.
> 
> I think, that the current SUID binary is unacceptable. I see the following
> options (in order of precedence):

the current Squid rpm includes a binary to do pam authentication that
needs to be suid and some SELinux customization, because the suid file
attribute is not assigned, each time the Squid RPM is updated that
customization is lost. I always thought that it can be possible to
distribute that file on an RPM like squid-pamauth with the attribute
assigned, that way the administrator will install it at their
convenience. This can be a possible solution here

> * ignore faults with /etc/shadow (errors will occur only in this
>   setup). IMO it is very uncommon to do user-accounting for such
>   services in this file; most people will use a regular database or
>   ldap.
> 
> * start the c2s server as root. afais, the SUID is only needed because
>   you start the daemon with
> 
>   | daemon --user jabber ...
>            ~~~~~~~~~~~~~
> 
>   Omitting this, would execute the daemon with the rights of the caller
>   ('root' in this case).
> 
> * when you REALLY need the SUID thing, then set more secure attributes
>   like
> 
>   | %attr(4710, root, jabber) %{_bindir}/c2s
> 
>   instead of
> 
>   | %attr(4755, root, root) %{_bindir}/c2s
> 
>   But this is really just a last resort

________________________________________
Robert Marcano

web: http://www.marcanoonline.com/
blog: http://www.marcanoonline.com/plog/