Package: ejabberd Version: 16.09-4 Tags: patch Severity: important
After upgrading the machine to Stretch, ejabberd no longer is able to authenticate using PAM. The problem is that the /usr/lib/erlang/p1_pam/bin/epam suid binary is not running as root despite the suid setup, but as user ejabberd. This make it impossible for ejabberd to check the password using /etc/shadow. After some research I tracked this down to the way systemd starts the service, and was able to get ejabberd to work with PAM again by commenting out the PrivateDevices line: --- /tmp/ejabberd.service 2018-10-22 11:15:34.451141940 +0200 +++ /lib/systemd/system/ejabberd.service 2018-10-22 11:12:05.156678797 +0200 @@ -15,7 +15,7 @@ Restart=on-failure PIDFile=/run/ejabberd/ejabberd.pid PrivateTmp=true -PrivateDevices=true +#PrivateDevices=true ProtectHome=true ProtectSystem=full Please consider changing the default setup for ejabberd in Stretch to allow it to work with PAM by default. One of the sources I found during my research was <URL: https://github.com/processone/ejabberd/pull/1178 >, which mention this problem. Another is <URL: https://groups.google.com/d/msg/linux.debian.bugs.dist/mNjlrUSXvKU/lP4F72UtAgAJ >. If you want to test various systemd setup variations, you might find this oneliner useful: systemctl daemon-reload; service ejabberd restart; ps -p `pidof epam` -o user,group,egroup,euser,fgid,fgroup,fuid,fuser,ruser,rgroup,sgroup,suser,supgrp,comm,args -- Happy hacking Petter Reinholdtsen
