Bug#909914: ejabberd: Starting ejabberd via systemd, epmd does not honor /etc/default/ejabberd

2018-10-10 Thread Philipp Huebner 
Hi,

thanks for bringing this up!

Am 29.09.18 um 23:38 schrieb Matt Marjanovic:
> In particular, this means that the ERL_EPMD_ADDRESS parameter is ignored.
> This is typically used to reduce the attack surface of epmd by telling it
> to only listen on localhost.  As installed, epmd will listen on all 
> interfaces.
> 
> This is to some degree an issue for the erlang-base package, which provides
> epmd
> and its systemd units and *should* provide a config option to restrict epmd to
> listening on localhost only.  However, it is the ejabberd package that 
> provides
> the /etc/default/ejabberd file.

I will patch out the ERL_EPMD_ADDRESS part of /etc/default/ejabberd, the
rest should be fine as it does not concern epmd but the Erlang VM that
ejabberd is running in.

I will also contact the Erlang maintainer.


Best wishes,
-- 
 .''`.   Philipp Huebner 
: :'  :  pgp fp: 6719 25C5 B8CD E74A 5225  3DF9 E5CA 8C49 25E4 205F
`. `'`
  `-



signature.asc
Description: OpenPGP digital signature

Bug#909914: ejabberd: Starting ejabberd via systemd, epmd does not honor /etc/default/ejabberd

2018-09-29 Thread Matt Marjanovic 
Package: ejabberd
Version: 18.06-1
Severity: normal

Dear Maintainer,

When ejabberd is started via systemd (i.e., via the ejabberd.service unit),
then epmd is likewise started via systemd (via the epmd.socket and epmd.service
units), and in this case the contents of /etc/default/ejabberd have no effect
on
the startup of epmd.

In particular, this means that the ERL_EPMD_ADDRESS parameter is ignored.
This is typically used to reduce the attack surface of epmd by telling it
to only listen on localhost.  As installed, epmd will listen on all interfaces.

This is to some degree an issue for the erlang-base package, which provides
epmd
and its systemd units and *should* provide a config option to restrict epmd to
listening on localhost only.  However, it is the ejabberd package that provides
the /etc/default/ejabberd file.



-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.17.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), 
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ejabberd depends on:
ii  adduser3.117
ii  debconf [debconf-2.0]  1.5.69
ii  erlang-asn11:20.3.8.5+dfsg-1
ii  erlang-base [erlang-abi-17.0]  1:20.3.8.5+dfsg-1
ii  erlang-crypto  1:20.3.8.5+dfsg-1
ii  erlang-inets   1:20.3.8.5+dfsg-1
ii  erlang-jiffy   0.14.11+dfsg-3
ii  erlang-jose1.8.4-3
ii  erlang-lager   3.6.4-2
ii  erlang-mnesia  1:20.3.8.5+dfsg-1
ii  erlang-odbc1:20.3.8.5+dfsg-1
ii  erlang-os-mon  1:20.3.8.5+dfsg-1
ii  erlang-p1-cache-tab1.0.14-1
ii  erlang-p1-eimp 1.0.6-1
ii  erlang-p1-iconv1.0.8-1
ii  erlang-p1-stringprep   1.0.12-1
ii  erlang-p1-tls  1.0.23-2
ii  erlang-p1-utils1.0.12-1
ii  erlang-p1-xml  1.1.32-1
ii  erlang-p1-xmpp 1.2.2-1
ii  erlang-p1-yaml 1.0.15-1
ii  erlang-p1-zlib 1.0.4-2
ii  erlang-public-key  1:20.3.8.5+dfsg-1
ii  erlang-ssl 1:20.3.8.5+dfsg-1
ii  erlang-syntax-tools1:20.3.8.5+dfsg-1
ii  erlang-xmerl   1:20.3.8.5+dfsg-1
ii  lsb-base   9.20170808
ii  openssl1.1.0h-4
ii  ucf3.0038

ejabberd recommends no packages.

Versions of packages ejabberd suggests:
ii  apparmor 2.13-8
pn  apparmor-utils   
pn  ejabberd-contrib 
pn  erlang-luerl 
pn  erlang-p1-mysql  
pn  erlang-p1-oauth2 
pn  erlang-p1-pam
pn  erlang-p1-pgsql  
pn  erlang-p1-sip
pn  erlang-p1-sqlite3
pn  erlang-p1-stun   
pn  erlang-redis-client  
ii  imagemagick  8:6.9.10.8+dfsg-1
ii  imagemagick-6.q16 [imagemagick]  8:6.9.10.8+dfsg-1
pn  libunix-syslog-perl  
pn  yamllint 

-- Configuration Files:
/etc/ejabberd/inetrc [Errno 13] Permission denied: '/etc/ejabberd/inetrc'
/etc/ejabberd/modules.d/README.modules [Errno 13] Permission denied: 
'/etc/ejabberd/modules.d/README.modules'

-- debconf information:
  ejabberd/nodenamechanges:
  ejabberd/hostname: localhost
  ejabberd/erlangopts: -env ERL_CRASH_DUMP_BYTES 0
  ejabberd/nomatch:
  ejabberd/invalidhostname:
  ejabberd/user:
  ejabberd/invaliduser:
  ejabberd/invalidpreseed: