epam crashes instantly on ejabberd start
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ejabberd (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
I try to switch from jabberd2 to ejabberd and I need PAM authentication. I have freshly installed `ejabberd` 18.01-2 and `erlang-p1-pam` 1.0.3-3 packages on bionic, and I enabled PAM authentication in `/etc/ejabbed/
```
##
## Authentication using PAM
##
auth_method: pam
pam_service: "jabber"
```
and `/etc/pam.d/jabber` is this:
```
auth sufficient pam_unix.so likeauth nullok nodelay
account sufficient pam_unix.so
```
As suggested in the debian README, I have systemctl override like this:
```
[Service]
PrivateDevices=
PrivateDevices=
NoNewPrivileges=
NoNewPrivileges
```
Every time I restart jabberd service, I get a number of such entries in the crash.log:
```
2018-04-26 13:04:43 =ERROR REPORT====
** Generic server epam terminating
** Last message in was {#Port<
** When Server state == {state,
** Reason for termination ==
** port_died
2018-04-26 13:04:43 =CRASH REPORT====
crasher:
initial call: epam:init/1
pid: <0.504.0>
registered_
exception exit: {port_died,
ancestors: [epam_sup,
message_
messages: []
links: [<0.487.0>]
dictionary: []
trap_exit: false
status: running
heap_size: 376
stack_size: 27
reductions: 397
neighbours:
2018-04-26 13:04:43 =SUPERVISOR REPORT====
Supervisor: {local,epam_sup}
Context: child_terminated
Reason: port_died
Offender: [{pid,<
```
followed by
```
2018-04-26 13:04:43 =SUPERVISOR REPORT====
Supervisor: {local,epam_sup}
Context: shutdown
Reason: reached_
Offender: [{pid,<
```
Exit status 139 means that a child process crashed with signal 11 (SEGFAULT).
Needless to say, xmpp client authentication does not work.
The problem is in apparmor configuration:
``` 7.048:210) : apparmor="DENIED" operation= "file_mmap" profile= "/usr/sbin/ ejabberdctl/ /su" name="/ usr/lib/ erlang/ p1_pam/ bin/epam" pid=25519 comm="epam" requested_mask="m" denied_mask="m" fsuid=0 ouid=0
audit: type=1400 audit(152478008
```
`mmap` permission needs to be specified for the epam suid binary helper.
Attached patch fixes the problem, pam authentication starts to work.