https://bugzilla.redhat.com/show_bug.cgi?id=1094143
Randy Barlow <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?([email protected] | |m) --- Comment #5 from Randy Barlow <[email protected]> --- The /usr/share/polkit-1/actions/ejabberdctl.policy file does have allow_any set to no, but it also has allow_inactive and allow_active set to auth_self. By my reading of some Arch documentation[0] I found about policykit, this means that ssh and physical users should both have to authenticate to run ejabberdctl. Setting one or both of those values to yes would allow those users to execute the command without authenticating. In either case, even the root user cannot meaningfully use ejabberdctl without being the ejabberd user, as there is a /var/lib/ejabberd/.erlang.cookie file that is needed to connect to the running ejabberd daemon. Since that file isn't in the root user's home folder, it is not found. When I use the utility on my own system, I typically have to do something like this: sudo -u ejabberd /bin/sh /usr/bin/ejabberdctl <command> Peter, do you know a way to work around that so that any properly authenticated user (root, me, etc.) can find that .erlang.cookie file automatically? I found some documentation that seems to indicate that the cookie is searched for at $HOME[1], and it suggests that copying the cookie to other places might be a reasonable way to proceed. There is also a -setcookie parameter for /usr/bin/erl, but I think it might not be related to the path of the cookie but rather its value. If we can't have a way for other users (including root) to be able to access this cookie, it seems to me that having a policykit policy at all does not make much sense since the ejabberdctl has to always be run as the user that started the daemon. That is, unless users know to copy that cookie around, in which case they should also know they could write their own policykit rules (or use sudo). What do you think? [0] https://wiki.archlinux.org/index.php/Polkit#Actions [1] http://erlang.org/doc/reference_manual/distributed.html#id88336 [2] http://erlang.org/doc/man/erl.html -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ erlang mailing list -- [email protected] To unsubscribe send an email to [email protected]
