From 3f87768c8cd4d72fcbc3650c6802e1a0c9d570ac Mon Sep 17 00:00:00 2001 From: Badlop Date: Mon, 14 Jul 2008 10:06:13 +0000 Subject: [PATCH] * doc/guide.tex: Update what permissions does enable-user grant * doc/guide.html: Likewise * src/configure.ac: Don't explicitely put root privileges when a user is not explicitely enabled * src/configure: Likewise * src/Makefile.in: Likewise SVN Revision: 1443 --- ChangeLog | 8 ++++++++ doc/guide.html | 13 +++++++++---- doc/guide.tex | 13 +++++++++---- src/Makefile.in | 41 ++++++++++++++++++++++++++++------------- src/configure | 9 ++++++--- src/configure.ac | 11 +++++++---- 6 files changed, 67 insertions(+), 28 deletions(-) diff --git a/ChangeLog b/ChangeLog index d28a8dd1e..56d7490bc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,13 @@ 2008-07-14 Badlop + * doc/guide.tex: Update what permissions does enable-user grant + * doc/guide.html: Likewise + + * src/configure.ac: Don't explicitely put root privileges when a + user is not explicitely enabled + * src/configure: Likewise + * src/Makefile.in: Likewise + * src/Makefile.in: Fix docdir so it recognizes prefix. If sbin dir does not exist, create it. Fix cookiefile permission check. (EJAB-696) diff --git a/doc/guide.html b/doc/guide.html index 9b655b7b8..735fc1f8c 100644 --- a/doc/guide.html +++ b/doc/guide.html @@ -339,12 +339,17 @@ To get the full list run the command:

Some options that you may be interested in modifying:

--prefix=/
- Specify the path prefix where the files will be copied when running the make install command.

--enable-user[=USER]
+ Specify the path prefix where the files will be copied when running + the make install command.

--enable-user[=USER]
Allow this normal system user to execute the ejabberdctl script (see section 4.1), - modify the configuration files and read log files. - The account must exist in the machine. It doesn’t need a HOME directory. - If the option is not set, then only root can perform those actions.

--enable-pam
+ read the configuration files, + read and write in the spool directory, + read and write in the log directory. + The account user and group must exist in the machine + before running make install. + This account doesn’t need an explicit HOME directory, because + /var/lib/ejabberd/ will be used by default.

--enable-pam
Enable the PAM authentication method (see section 3.1.4).

--enable-odbc or --enable-mssql
Required if you want to use an external database. See section 3.2 for more information.

--enable-full-xml
diff --git a/doc/guide.tex b/doc/guide.tex index 7e440ac7c..3831ac024 100644 --- a/doc/guide.tex +++ b/doc/guide.tex @@ -322,14 +322,19 @@ To get the full list run the command: Some options that you may be interested in modifying: \begin{description} \titem{--prefix=/} - Specify the path prefix where the files will be copied when running the make install command. + Specify the path prefix where the files will be copied when running + the \term{make install} command. \titem{--enable-user[=USER]} Allow this normal system user to execute the ejabberdctl script (see section~\ref{ejabberdctl}), - modify the configuration files and read log files. - The account must exist in the machine. It doesn't need a HOME directory. - If the option is not set, then only root can perform those actions. + read the configuration files, + read and write in the spool directory, + read and write in the log directory. + The account user and group must exist in the machine + before running \term{make install}. + This account doesn't need an explicit HOME directory, because + \term{/var/lib/ejabberd/} will be used by default. \titem{--enable-pam} Enable the PAM authentication method (see section \ref{pam}). diff --git a/src/Makefile.in b/src/Makefile.in index cef4707bb..beab1e660 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -14,6 +14,20 @@ ERLANG_LIBS = @ERLANG_LIBS@ ASN_FLAGS = -bber_bin +der +compact_bit_string +optimize +noobj +INSTALLUSER=@INSTALLUSER@ +# if no user was enabled, don't set privileges or ownership +ifeq ($(INSTALLUSER),) + O_USER= + G_USER= + CHOWN_COMMAND=echo + CHOWN_OUTPUT=/dev/null +else + O_USER=-o $(INSTALLUSER) + G_USER=-g $(INSTALLUSER) + CHOWN_COMMAND=chown + CHOWN_OUTPUT=&1 +endif + EFLAGS += @ERLANG_SSL39@ EFLAGS += -I ../include @@ -44,7 +58,7 @@ endif INSTALL_EPAM= ifeq (@pam@, pam) - INSTALL_EPAM=install -m 750 -o @INSTALLUSER@ epam $(PBINDIR) + INSTALL_EPAM=install -m 750 $(O_USER) epam $(PBINDIR) endif prefix = @prefix@ @@ -145,12 +159,13 @@ $(ERLSHLIBS): %.so: %.c $(DYNAMIC_LIB_CFLAGS) install: all + echo "AA: '$(AA)'" # # Configuration files - install -d -m 750 -g @INSTALLUSER@ $(ETCDIR) + install -d -m 750 $(G_USER) $(ETCDIR) [ -f $(ETCDIR)/ejabberd.cfg ] \ - && install -b -m 640 -g @INSTALLUSER@ ejabberd.cfg.example $(ETCDIR)/ejabberd.cfg-new \ - || install -b -m 640 -g @INSTALLUSER@ ejabberd.cfg.example $(ETCDIR)/ejabberd.cfg + && install -b -m 640 $(G_USER) ejabberd.cfg.example $(ETCDIR)/ejabberd.cfg-new \ + || install -b -m 640 $(G_USER) ejabberd.cfg.example $(ETCDIR)/ejabberd.cfg sed -e "s*@rootdir@*@prefix@*" \ -e "s*@installuser@*@INSTALLUSER@*" \ -e "s*@LIBDIR@*@libdir@*" \ @@ -159,13 +174,13 @@ install: all -e "s*@erl@*@ERL@*" ejabberdctl.template \ > ejabberdctl.example [ -f $(ETCDIR)/ejabberdctl.cfg ] \ - && install -b -m 640 -g @INSTALLUSER@ ejabberdctl.cfg.example $(ETCDIR)/ejabberdctl.cfg-new \ - || install -b -m 640 -g @INSTALLUSER@ ejabberdctl.cfg.example $(ETCDIR)/ejabberdctl.cfg - install -b -m 644 -g @INSTALLUSER@ inetrc $(ETCDIR)/inetrc + && install -b -m 640 $(G_USER) ejabberdctl.cfg.example $(ETCDIR)/ejabberdctl.cfg-new \ + || install -b -m 640 $(G_USER) ejabberdctl.cfg.example $(ETCDIR)/ejabberdctl.cfg + install -b -m 644 $(G_USER) inetrc $(ETCDIR)/inetrc # # Administration script [ -d $(SBINDIR) ] || install -d 750 $(SBINDIR) - install -m 550 -g @INSTALLUSER@ ejabberdctl.example $(SBINDIR)/ejabberdctl + install -m 550 $(G_USER) ejabberdctl.example $(SBINDIR)/ejabberdctl # # Binary Erlang files install -d $(BEAMDIR) @@ -190,14 +205,14 @@ install: all install -m 644 msgs/*.msg $(MSGSDIR) # # Spool directory - install -d -m 750 -o @INSTALLUSER@ $(SPOOLDIR) - chown -R @INSTALLUSER@ $(SPOOLDIR) + install -d -m 750 $(O_USER) $(SPOOLDIR) + $(CHOWN_COMMAND) -R @INSTALLUSER@ $(SPOOLDIR) >$(CHOWN_OUTPUT) chmod -R 750 $(SPOOLDIR) - [ ! -f $(COOKIEFILE) ] || { chown @INSTALLUSER@ $(COOKIEFILE) ; chmod 400 $(COOKIEFILE) ; } + [ ! -f $(COOKIEFILE) ] || { $(CHOWN_COMMAND) @INSTALLUSER@ $(COOKIEFILE) >$(CHOWN_OUTPUT) ; chmod 400 $(COOKIEFILE) ; } # # Log directory - install -d -m 750 -o @INSTALLUSER@ $(LOGDIR) - chown -R @INSTALLUSER@ $(LOGDIR) + install -d -m 750 $(O_USER) $(LOGDIR) + $(CHOWN_COMMAND) -R @INSTALLUSER@ $(LOGDIR) >$(CHOWN_OUTPUT) chmod -R 750 $(LOGDIR) # # Documentation diff --git a/src/configure b/src/configure index f77db635c..6ce0e31fd 100755 --- a/src/configure +++ b/src/configure @@ -5909,18 +5909,21 @@ fi -ENABLEUSER=root +ENABLEUSER="" # Check whether --enable-user was given. if test "${enable_user+set}" = set; then enableval=$enable_user; case "${enableval}" in yes) ENABLEUSER=`whoami` ;; + no) ENABLEUSER="" ;; *) ENABLEUSER=$enableval esac - echo "allow this system user to start ejabberd: $ENABLEUSER" fi -INSTALLUSER=$ENABLEUSER +if test "$ENABLEUSER" != ""; then + echo "allow this system user to start ejabberd: $ENABLEUSER" + INSTALLUSER=$ENABLEUSER +fi cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure diff --git a/src/configure.ac b/src/configure.ac index ee19d9c57..ba6384633 100644 --- a/src/configure.ac +++ b/src/configure.ac @@ -122,15 +122,18 @@ else fi AC_CHECK_HEADER(krb5.h,,) -ENABLEUSER=root +ENABLEUSER="" AC_ARG_ENABLE(user, [AS_HELP_STRING([--enable-user[[[[=USER]]]]], [allow this system user to start ejabberd (default: no)])], [case "${enableval}" in yes) ENABLEUSER=`whoami` ;; + no) ENABLEUSER="" ;; *) ENABLEUSER=$enableval - esac - echo "allow this system user to start ejabberd: $ENABLEUSER"], + esac], []) -AC_SUBST([INSTALLUSER], [$ENABLEUSER]) +if test "$ENABLEUSER" != ""; then + echo "allow this system user to start ejabberd: $ENABLEUSER" + AC_SUBST([INSTALLUSER], [$ENABLEUSER]) +fi AC_OUTPUT -- 2.40.0