epam helper for Erlang / Elixir PAM authentication support
processone / epam Goto Github PK
View Code? Open in Web Editor NEWepam helper for Erlang / Elixir PAM authentication support
Home Page: http://ejabberd.im
License: Other
epam helper for Erlang / Elixir PAM authentication support
Home Page: http://ejabberd.im
License: Other
Please see https://bugs.debian.org/961652
Hello!
A Fedora user reported that ejabberd would not start on Fedora Rawhide when PAM authentication was enabled. He received these log messages:
2016-05-18 23:40:47.128 [info] <0.38.0>@cyrsasl_digest:start:60 FQDN used to check DIGEST-MD5 SASL authentication: jenkins-dev.last-bastion.net
2016-05-18 23:40:47.154 [error] <0.392.0> Can't open file "/usr/lib64/erlang/lib/ejabberd/priv/bin/epam": enoent
2016-05-18 23:40:47.154 [error] <0.392.0> CRASH REPORT Process epam with 0 neighbours exited with reason: bad return value: error in gen_server:init_it/6 line 356
2016-05-18 23:40:47.154 [error] <0.391.0> Supervisor epam_sup had child epam started with epam:start_link() at undefined exit with reason bad return value: error in context start_error
2016-05-18 23:40:47.154 [error] <0.389.0> CRASH REPORT Process <0.389.0> with 0 neighbours exited with reason: {{shutdown,{failed_to_start_child,epam,{bad_return_value,error}}},{epam_app,start,[normal,[]]}} in application_master:init/4 line 134
2016-05-18 23:40:47.154 [critical] <0.38.0>@ejabberd:exit_or_halt:133 failed to start application 'p1_pam': {error,
{{shutdown,
{failed_to_start_child,epam,
{bad_return_value,error}}},
{epam_app,start,[normal,[]]}}}
2016-05-18 23:40:47.155 [info] <0.7.0> Application p1_pam exited with reason: {{shutdown,{failed_to_start_child,epam,{bad_return_value,error}}},{epam_app,start,[normal,[]]}}
In investigating this, I found that this is the code that locates the epam binary:
https://github.com/processone/epam/blob/1.0.0/src/epam.erl#L142-L153
For source installations this code is probably reasonable since the libraries get bundled into ejabberd, but for distribution installations it is common to separate epam into its own installation path separate of ejabberd. For example, Fedora installs epam like this:
$ tree -p /usr/lib64/erlang/lib/p1_pam-1.0.0
/usr/lib64/erlang/lib/p1_pam-1.0.0
├── [drwxr-xr-x] ebin
│ ├── [-rw-r--r--] epam_app.beam
│ ├── [-rw-r--r--] epam.beam
│ ├── [-rw-r--r--] epam_sup.beam
│ └── [-rw-r--r--] p1_pam.app
└── [drwxr-xr-x] priv
└── [drwxr-xr-x] bin
└── [-rwxr-xr-x] epam
3 directories, 5 files
To work around this issue, I've applied this patch in Fedora for now but I would like to develop a solution that will work for both source installations and Fedora so we don't have to carry a patch, and so that other distributions can benefit as well:
From 519551454c749f8c6ea1b1fd1fcbdc268cf6bb27 Mon Sep 17 00:00:00 2001
From: Randy Barlow <[email protected]>
Date: Sun, 22 May 2016 12:43:46 -0400
Subject: [PATCH] Load epam from the package's own path rather than ejabberd.
---
src/epam.erl | 15 +++++----------
1 file changed, 5 insertions(+), 10 deletions(-)
diff --git a/src/epam.erl b/src/epam.erl
index bdb331e..5919877 100644
--- a/src/epam.erl
+++ b/src/epam.erl
@@ -140,14 +140,9 @@ handle_cast(_Msg, State) -> {noreply, State}.
code_change(_OldVsn, State, _Extra) -> {ok, State}.
get_bin_path() ->
- case os:getenv("EJABBERD_BIN_PATH") of
- false ->
- case code:priv_dir(p1_pam) of
- {error, _} ->
- filename:join(["priv", "bin"]);
- Path ->
- filename:join([Path, "bin"])
- end;
- Path ->
- Path
+ case code:priv_dir(p1_pam) of
+ {error, _} ->
+ filename:join(["priv", "bin"]);
+ Path ->
+ filename:join([Path, "bin"])
end.
--
2.8.3
Configure fails with the latest HEAD:
$ ./configure
...
config.status: error: cannot find input file: `vars.config.in'
Also, it seems like the application was renamed, but old name is still found in the sources:
$ grep 'p1_pam' -rH .
./src/epam.erl: case code:priv_dir(p1_pam) of
Specifically, please forward the remote address of the user trying to authenticate in the PAM_RHOST item to the pam stack (currently, PAM_SERVICE and PAM_USER are supplied) That would allow to thread users diffrently depending where they come from (e.g. two-factor auth in general, single factor from well-known places)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.