Ubuntu
ejabberd package

epam crashes instantly on ejabberd start

Bug #1767101 reported by Eugene Crosser
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ejabberd (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

I try to switch from jabberd2 to ejabberd and I need PAM authentication. I have freshly installed `ejabberd` 18.01-2 and `erlang-p1-pam` 1.0.3-3 packages on bionic, and I enabled PAM authentication in `/etc/ejabbed/ejabberd.yml`:

```
##
## Authentication using PAM
##
auth_method: pam
pam_service: "jabber"
```

and `/etc/pam.d/jabber` is this:

```
auth sufficient pam_unix.so likeauth nullok nodelay
account sufficient pam_unix.so
```

As suggested in the debian README, I have systemctl override like this:

```
[Service]
PrivateDevices=
PrivateDevices=false
NoNewPrivileges=
NoNewPrivileges=false
```
Every time I restart jabberd service, I get a number of such entries in the crash.log:

```
2018-04-26 13:04:43 =ERROR REPORT====
** Generic server epam terminating
** Last message in was {#Port<0.19001>,{exit_status,139}}
** When Server state == {state,#Port<0.19001>}
** Reason for termination ==
** port_died
2018-04-26 13:04:43 =CRASH REPORT====
  crasher:
    initial call: epam:init/1
    pid: <0.504.0>
    registered_name: epam
    exception exit: {port_died,[{gen_server,handle_common_reply,8,[{file,"gen_server.erl"},{line,726}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,247}]}]}
    ancestors: [epam_sup,<0.486.0>]
    message_queue_len: 0
    messages: []
    links: [<0.487.0>]
    dictionary: []
    trap_exit: false
    status: running
    heap_size: 376
    stack_size: 27
    reductions: 397
  neighbours:
2018-04-26 13:04:43 =SUPERVISOR REPORT====
     Supervisor: {local,epam_sup}
     Context: child_terminated
     Reason: port_died
     Offender: [{pid,<0.504.0>},{id,epam},{mfargs,{epam,start_link,[]}},{restart_type,permanent},{shutdown,brutal_kill},{child_type,worker}]
```

followed by

```
2018-04-26 13:04:43 =SUPERVISOR REPORT====
     Supervisor: {local,epam_sup}
     Context: shutdown
     Reason: reached_max_restart_intensity
     Offender: [{pid,<0.504.0>},{id,epam},{mfargs,{epam,start_link,[]}},{restart_type,permanent},{shutdown,brutal_kill},{child_type,worker}]
```

Exit status 139 means that a child process crashed with signal 11 (SEGFAULT).
Needless to say, xmpp client authentication does not work.

Tags: patch
Revision history for this message
Eugene Crosser (crosser) wrote :

The problem is in apparmor configuration:

```
audit: type=1400 audit(1524780087.048:210): apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/ejabberdctl//su" name="/usr/lib/erlang/p1_pam/bin/epam" pid=25519 comm="epam" requested_mask="m" denied_mask="m" fsuid=0 ouid=0
```

`mmap` permission needs to be specified for the epam suid binary helper.
Attached patch fixes the problem, pam authentication starts to work.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "ejabberd-pam-apparmor.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Philipp Huebner (debalance-debian) wrote :

You should already have had the following line in your profile:

/usr/lib/erlang/p1_pam/bin/epam px -> /usr/sbin/ejabberdctl//su,

Since your patch does not touch that, could you please check, test and update your patch accordingly?

Revision history for this message
Philipp Huebner (debalance-debian) wrote :

Ah sorry, now I realized that you add this in the su sub-profile.

Revision history for this message
Philipp Huebner (debalance-debian) wrote :

https://salsa.debian.org/ejabberd-packaging-team/ejabberd/commit/226596d48bc3760541d392f309da83893397faa1

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ejabberd - 18.12.1-1

---------------
ejabberd (18.12.1-1) unstable; urgency=medium

  * New upstream version 18.12.1
  * Refreshed patches for 18.12.1
  * Updated Erlang dependencies
  * Updated Standards-Version: 4.3.0 (no changes needed)
  * Updated years in debian/copyright
  * Updated debian/docs

 -- Philipp Huebner <email address hidden> Tue, 01 Jan 2019 22:56:50 +0100

Changed in ejabberd (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.