Package: prosody
Version: 0.9.12-2
Severity: normal
Tags: patch
For a long time /var/run has been a symlink to /run. Therefore it's best to
use /run directly which avoids problems if /var isn't mounted (admittedly
a configuration that's not common) and makes the operation clearer.
On SE Linux systems when a directory is created by an init.d script it needs
to have the correct context set. If the restorecon program is installed
then it will operate correctly (even in the case where it's installed but
SE Linux isn't activated) so the best thing to do is to run restorecon on
the directory if restorecon exists. Also note that there is no harm in
running restorecon multiple times, it's operation is conceptually similar to
chmod or chown except that it has it's own config file to determine what
context it should use.
Also if you use tmpfiles.d on a systemd system to create the dirctory then
it will set the correct context without additional effort.
--- /etc/init.d/prosody.orig 2017-12-09 04:41:45.088000000 +0000
+++ /etc/init.d/prosody 2017-12-09 05:00:26.824000000 +0000
@@ -15,7 +15,7 @@
USER=prosody
DAEMON=/usr/bin/prosody
-PIDPATH=/var/run/prosody
+PIDPATH=/run/prosody
PIDFILE="$PIDPATH"/prosody.pid
NICE=
@@ -40,6 +40,7 @@
start_prosody () {
mkdir -p `dirname $PIDFILE`
chown prosody:adm `dirname $PIDFILE`
+ [ -x /sbin/restorecon ] && /sbin/restorecon -R `dirname $PIDFILE`
if start-stop-daemon --start --quiet --pidfile "$PIDFILE" \
--chuid "$USER" --oknodo --user "$USER" --name lua5.1 \
$(start_opts) --startas "$DAEMON";
-- System Information:
Debian Release: 9.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1), LANGUAGE=en_AU
(charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages prosody depends on:
ii adduser 3.115
ii libc6 2.24-11+deb9u1
ii libidn11 1.33-1
ii libssl1.1 1.1.0f-3+deb9u1
ii lsb-base 9.20161125
ii lua-expat [lua5.1-expat] 1.3.0-4
ii lua-filesystem [lua5.1-filesystem] 1.6.3-1
ii lua-sec [lua5.1-sec] 0.6-3
ii lua-socket [lua5.1-socket] 3.0~rc1+git+ac3201d-3
ii lua5.1 5.1.5-8.1+b2
ii ssl-cert 1.0.39
Versions of packages prosody recommends:
pn lua5.1-event <none>
Versions of packages prosody suggests:
pn lua-dbi-mysql <none>
pn lua-dbi-postgresql <none>
pn lua-dbi-sqlite3 <none>
pn lua-zlib <none>
-- Configuration Files:
/etc/init.d/prosody changed:
set -e
USER=prosody
DAEMON=/usr/bin/prosody
PIDPATH=/run/prosody
PIDFILE="$PIDPATH"/prosody.pid
NICE=
MAXFDS=
CPUSCHED=
IOSCHED=
test -x "$DAEMON" || exit 0
. /lib/lsb/init-functions
if [ -f /etc/default/prosody ] ; then
. /etc/default/prosody
fi
start_opts() {
test -z "$NICE" || echo -n " --nicelevel $NICE"
test -z "$CPUSCHED" || echo -n " --procsched $CPUSCHED"
test -z "$IOSCHED" || echo -n " --iosched $IOSCHED"
}
start_prosody () {
mkdir -p `dirname $PIDFILE`
chown prosody:adm `dirname $PIDFILE`
[ -x /sbin/restorecon ] && /sbin/restorecon -R `dirname $PIDFILE`
if start-stop-daemon --start --quiet --pidfile "$PIDFILE" \
--chuid "$USER" --oknodo --user "$USER" --name lua5.1 \
$(start_opts) --startas "$DAEMON";
then
return 0
else
return 1
fi
}
stop_prosody () {
if start-stop-daemon --stop --quiet --retry 30 \
--oknodo --pidfile "$PIDFILE" --user "$USER" --name lua5.1;
then
return 0
else
return 1
fi
}
signal_prosody () {
if start-stop-daemon --stop --quiet --pidfile "$PIDFILE" \
--user "$USER" --name lua5.1 --oknodo --signal $1;
then
return 0
else
return 1
fi
}
case "$1" in
start)
log_daemon_msg "Starting Prosody XMPP Server" "prosody"
if start_prosody; then
log_end_msg 0;
else
log_end_msg 1;
fi
;;
stop)
log_daemon_msg "Stopping Prosody XMPP Server" "prosody"
if stop_prosody; then
log_end_msg 0;
else
log_end_msg 1;
fi
;;
force-reload|restart)
log_daemon_msg "Restarting Prosody XMPP Server" "prosody"
stop_prosody
if start_prosody; then
log_end_msg 0;
else
log_end_msg 1;
fi
;;
reload)
log_daemon_msg "Reloading Prosody XMPP Server" "prosody"
if signal_prosody 1; then
log_end_msg 0;
else
log_end_msg 1;
fi
;;
status)
log_daemon_msg "Status of Prosody XMPP Server" "prosody "
status_of_proc -p"$PIDFILE" lua5.1
;;
*)
log_action_msg "Usage: /etc/init.d/prosody
{start|stop|restart|reload|status}"
exit 1
esac
exit 0
/etc/prosody/prosody.cfg.lua changed:
-- Prosody Example Configuration File
--
-- Information on configuring Prosody can be found on our
-- website at http://prosody.im/doc/configure
--
-- Tip: You can check that the syntax of this file is correct
-- when you have finished by running: luac -p prosody.cfg.lua
-- If there are any errors, it will let you know what and where
-- they are, otherwise it will keep quiet.
--
-- The only thing left to do is rename this file to remove the .dist ending,
and fill in the
-- blanks. Good luck, and happy Jabbering!
---------- Server-wide settings ----------
-- Settings in this section apply to the whole server and are the default
settings
-- for any virtual hosts
-- This is a (by default, empty) list of accounts that are admins
-- for the server. Note that you must create the accounts separately
-- (see http://prosody.im/doc/creating_accounts for info)
-- Example: admins = { "us...@example.com", "us...@example.net" }
admins = { "otherm...@gnubies.com" }
-- Enable use of libevent for better performance under high load
-- For more information see: http://prosody.im/doc/libevent
--use_libevent = true;
-- This is the list of modules Prosody will load on startup.
-- It looks for mod_modulename.lua in the plugins folder, so make sure that
exists too.
-- Documentation on modules can be found at: http://prosody.im/doc/modules
modules_enabled = {
-- Generally required
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers.
Recommended if you want to log in.
"tls"; -- Add support for secure TLS on c2s/s2s connections
"dialback"; -- s2s dialback support
"disco"; -- Service discovery
-- Not essential, but recommended
"private"; -- Private XML storage (for room bookmarks, etc.)
"vcard"; -- Allow users to set vCards
-- These are commented by default as they have a performance impact
--"privacy"; -- Support privacy lists
--"compression"; -- Stream compression (Debian: requires
lua-zlib module to work)
-- Nice to have
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
"pep"; -- Enables users to publish their mood, activity,
playing music and more
"register"; -- Allow users to register on this server using a
client and change passwords
-- Admin interfaces
"admin_adhoc"; -- Allows administration via an XMPP client that
supports ad-hoc commands
--"admin_telnet"; -- Opens telnet console interface on
localhost port 5582
-- HTTP modules
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
--"http_files"; -- Serve static files from a directory over HTTP
-- Other specific functionality
"posix"; -- POSIX functionality, sends server to background,
enables syslog, etc.
--"groups"; -- Shared roster support
--"announce"; -- Send announcement to all online users
--"welcome"; -- Welcome users who register accounts
--"watchregistrations"; -- Alert admins of registrations
--"motd"; -- Send a message to users when they log in
--"legacyauth"; -- Legacy authentication. Only used by some old
clients and bots.
};
-- These modules are auto-loaded, but should you want
-- to disable them then uncomment them here:
modules_disabled = {
-- "offline"; -- Store offline messages
-- "c2s"; -- Handle client connections
-- "s2s"; -- Handle server-to-server connections
};
-- Disable account creation by default, for security
-- For more information see http://prosody.im/doc/creating_accounts
allow_registration = false;
-- Debian:
-- send the server to background.
--
daemonize = true;
-- Debian:
-- Please, don't change this option since /run/prosody/
-- is one of the few directories Prosody is allowed to write to
--
pidfile = "/run/prosody/prosody.pid";
-- These are the SSL/TLS-related settings. If you don't want
-- to use SSL/TLS, you may comment or remove this
ssl = {
key = "/etc/letsencrypt/live/gnubies.com/privkey.pem";
certificate = "/etc/letsencrypt/live/gnubies.com/fullchain.pem";
}
-- Force clients to use encrypted connections? This option will
-- prevent clients from authenticating unless they are using encryption.
c2s_require_encryption = false
-- Force certificate authentication for server-to-server connections?
-- This provides ideal security, but requires servers you communicate
-- with to support encryption AND present valid, trusted certificates.
-- NOTE: Your version of LuaSec must support certificate verification!
-- For more information see http://prosody.im/doc/s2s#security
s2s_secure_auth = false
-- Many servers don't support encryption or have invalid or self-signed
-- certificates. You can list domains here that will not be required to
-- authenticate using certificates. They will be authenticated using DNS.
--s2s_insecure_domains = { "gmail.com" }
-- Even if you leave s2s_secure_auth disabled, you can still require valid
-- certificates for some domains by specifying a list here.
--s2s_secure_domains = { "jabber.org" }
-- Select the authentication backend to use. The 'internal' providers
-- use Prosody's configured data storage to store the authentication data.
-- To allow Prosody to offer secure authentication mechanisms to clients, the
-- default provider stores passwords in plaintext. If you do not trust your
-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
-- for information about using the hashed backend.
authentication = "internal_plain"
-- Select the storage backend to use. By default Prosody uses flat files
-- in its configured data directory, but it also supports more backends
-- through modules. An "sql" backend is included by default, but requires
-- additional dependencies. See http://prosody.im/doc/storage for more info.
--storage = "sql" -- Default is "internal" (Debian: "sql" requires one of the
-- lua-dbi-sqlite3, lua-dbi-mysql or lua-dbi-postgresql packages to work)
-- For the "sql" backend, you can uncomment *one* of the below to configure:
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default.
'database' is the filename.
--sql = { driver = "MySQL", database = "prosody", username = "prosody",
password = "secret", host = "localhost" }
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody",
password = "secret", host = "localhost" }
-- Logging configuration
-- For advanced logging see http://prosody.im/doc/logging
--
-- Debian:
-- Logs info and higher to /var/log
-- Logs errors to syslog also
log = {
-- Log files (change 'info' to 'debug' for debug logs):
info = "/var/log/prosody/prosody.log";
error = "/var/log/prosody/prosody.err";
-- Syslog:
{ levels = { "error" }; to = "syslog"; };
}
----------- Virtual hosts -----------
-- You need to add a VirtualHost entry for each domain you wish Prosody to
serve.
-- Settings under each VirtualHost entry apply *only* to that host.
VirtualHost "gnubies.com"
------ Components ------
-- You can specify components to add hosts that provide special services,
-- like multi-user conferences, and transports.
-- For more information on components, see http://prosody.im/doc/components
---Set up a MUC (multi-user chat) room server on conference.example.com:
--Component "conference.example.com" "muc"
-- Set up a SOCKS5 bytestream proxy for server-proxied file transfers:
--Component "proxy.example.com" "proxy65"
---Set up an external component (default component port is 5347)
--
-- External components allow adding various services, such as gateways/
-- transports to other networks like ICQ, MSN and Yahoo. For more info
-- see: http://prosody.im/doc/components#adding_an_external_component
--
--Component "gateway.example.com"
-- component_secret = "password"
------ Additional config files ------
-- For organizational purposes you may prefer to add VirtualHost and
-- Component definitions in their own config files. This line includes
-- all config files in /etc/prosody/conf.d/
Include "conf.d/*.cfg.lua"
-- no debconf information
