Sergei Golovan (supplier of updated erlang package) Have further comments please address them to the maintainer will reopen the bug report if appropriate. Thank you for reporting the bug, which will now be closed. We believe that the bug you reported is fixed in the latest version ofĮrlang, which is due to be installed in the Debian FTP archive.Ī summary of the changes between this version and the previous one is Is epmd then started again under an untrusted user? The only question that remains: what happens if other apps want to startĮpmd? Is it always caught through epmd.socket and started via systemd or So it's not automatically started via systemd, but when another service > users who don't need and never use any distributed Erlang application.ĪFAICT it's not masked, but simply disabled, at least on the Sid systems I'm thinking about unmasking it but I'm afraid it'll confuse > The epmd daemon is still masked by default, so I'll not close this bug Reassigning this bug to the erlang package, so let's proceed in thatĭate: Sun, 12:41:38 +0200 Hi To turn epmd into a real daemon and then make ejabberd and otherĪffected software hard-depend on it via their respective init-scripts,īut this won't prevent that maliscious user from starting epmd before aĪnyway, by agreemend with the Erlang package maintainer, I'm Somethis about the situation: in theory, we could create an init script Seems no bullet-proof solution short of convincing upstream to do I've discussed these matters with the Erlang package maintainer, and heĪgreed with you on that this needs to be fixed but unfortunately there Yes, this sucks but that's how the Erlang runtime works, and this is an > And later on root installs ejabberd which uses a resolver controlled > user running some erlang program starts a daemon? > How is this supposed to work in a multi-user environment? The first > Killing epmd may be dangerous when there are other erlang programs > a package is not supposed to start daemons upon installation/. > epmd is spawned when calling ejabberdctl which ejabberd does Tag 709754 +security +upstream +confirmed This is seriously disturbing! -)Īnd /usr/share/doc/sysv-rc/.gz as wellĪs /usr/share/doc/sysv-rc/.gz This is very probably due to not using invoke-rc.dĪs mandated by policy 9.3.3.2. Date: Sat, 10:38:57 +0200 Package: ejabberdĭuring a test with piuparts I noticed your package starts processes
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |