On 05/23/08, Darren J Moffat wrote: > John Fischer wrote: > >========== > > > > On OpenSolaris, the public interface to start and stop > > ejabberd will be SMF and the service will be named: > > > > svc:/network/xmpp:ejabberd > > > > Note that user will still need ejabberdctl(1M) for other > > administration tasks(ie., user management). > > > > ejabberd listens on three TCP ports by default: > > > > 5222 - standard port for jabber-client protocol > > 5269 - standard port for jabber-server protocol for > > server to server connections > > 5280 - port for ejabberd web-based admin > > I assume you don't actually mean "in a default install" but "When > ejabberd is explicitly enabled". I'm assuming (hopefully) that ejabberd > service is delivered disabled. Yes. ejabberd service will be disabled by default. The above ports are default values and can be changed in its configuration.
> What SMF method credential use ejabberd run with ? I'm assuming it is > running as the daemon (or noaccess) user with no additional privileges. > Given it is running on ports > 1024 it shouldn't need any privileges. > [Strong HINT: I will derail this case if the answer is that it is > running as root with all privileges] > > Which uid/gid owns the default log file location ? > > Which RBAC profile is the /usr/sbin/ejabberdctl in ? > > What new authorisations are added (and to which RBAC profile) for the > SMF level administration ? Thanks for pointing out those issues(I wasn't aware of them). I'd like to propose the following more: - a new user "ejabberd"(uid: 96) and a new group "ejabberd"(gid: 96) will be added for running ejabbered service. (Notes: 1) I noticied mysql service uses "mysql" user, and postgresql service uses "postgres" role. So I suppose it is OK to use either user or role for this purpose. 2) svctag's uid is 95. So I use 96 for ejabberd.) - "ejabberd" user will be associated with "Ejabberd Administration" profile, which includes solaris.smf.manage.ejabberd and solaris.smf.value.ejabberd authorizations. - The above two authorizations are required for executing methods in ejabberd service manifest. Note that ejabberd's initial configuration data are stored in config files under /etc/ejabberd, so even with above proposal, root user is still required for editting those config files(I suppose that is OK). Please let me know if I missed anything. -- Regards, Raymond
