[Pkg-erlang-devel] Bug#709754: ejabberd: doesn't use invoke-rc.d
Konstantin Khomoutov
flatworm at users.sourceforge.net
Mon Sep 30 13:56:20 UTC 2013
retitle 709754 Erlang runtime implicitly starts a epmd daemon
reassign 709754 erlang
severity 709754 important
affects 709754 ejabberd
tag 709754 +security +upstream +confirmed
thanks
On Thu, 30 May 2013 10:57:36 +0200
Andreas Beckmann <anbe at debian.org> wrote:
> On 2013-05-30 10:26, Felix Geyer wrote:
> > ejabberd does use invoke-rc.d.
> > epmd is spawned when calling ejabberdctl which ejabberd does
> > in postinst and prerm.
>
> a package is not supposed to start daemons upon installation/... in a
> way circumenting policy-rc.d
>
> > Killing epmd may be dangerous when there are other erlang programs
> > running, see:
> > http://www.ejabberd.im/epmd
>
> How is this supposed to work in a multi-user environment? The first
> user running some erlang program starts a daemon?
>
> And later on root installs ejabberd which uses a resolver controlled
> by an untrusted user?
Yes, this sucks but that's how the Erlang runtime works, and this is an
upstream issue.
I've discussed these matters with the Erlang package maintainer, and he
agreed with you on that this needs to be fixed but unfortunately there
seems no bullet-proof solution short of convincing upstream to do
somethis about the situation: in theory, we could create an init script
to turn epmd into a real daemon and then make ejabberd and other
affected software hard-depend on it via their respective init-scripts,
but this won't prevent that maliscious user from starting epmd before a
proper daemon is run.
Anyway, by agreemend with the Erlang package maintainer, I'm
reassigning this bug to the erlang package, so let's proceed in that
new context.
More information about the Pkg-erlang-devel
mailing list