ejabberd icon indicating copy to clipboard operation
ejabberd copied to clipboard
verified publisher icon processone

Not requiring hard-coded username

Open opk12 opened this issue 4 months ago • 4 comments

This is a minor thing. I installed ejabberd in a container and was puzzled on why the executable requires a specific user name. The package allocates a new UID in the guest's /etc/passwd, but that most likely maps to a different service on the host and I cannot use it. I allocated an own user, which I expected. I additionally needed to name it ejabberd and delete the previous ejabberd user.

Is there a kind of attack that forcing a username is assumed to prevent? Other services do not do this, because security completely comes from the kernel's Unix permissions handling and UID separation, and usernames do not exist in the kernel, they are really just keys to index /etc/passwd. I can't think of an example on how requiring a username can increase or decrease security.

I understand that the name is configurable with a compile-time switch, but I'd rather reuse the distro-provided package.

opk12 avatar Aug 14 '25 19:08 opk12

To name some examples, I run unprivileged openssh and nginx as normal (non-system) users.

opk12 avatar Aug 14 '25 19:08 opk12

why the executable requires a specific user name.

The Dockerfile in ejabberd container image is based in the Dockerfile of ecs container image, which since its inception relies on a system user called ejabberd.

This code is back from year 2017, maybe this was the common trend at that time, or the example Dockerfiles did this.

Other services do not do this To name some examples, I run unprivileged openssh and nginx as normal (non-system) users.

If there are already examples of what you describe, it would be useful to review their Dockerfiles and see how they accomplish it.

I'd rather reuse the distro-provided package.

Can you provide an experimental patch that would solve what you explained?

badlop avatar Aug 15 '25 14:08 badlop

I know Python, but I do not know Erlang, sorry. I have an official Debian 13 (stable) install in a systemd container and ejabberdctl terminates when trying to start it. I do not use (and trust) Docker. My other services are in systemd and LXC, which do not have an exact equivalent of a Dockerfile.

opk12 avatar Aug 15 '25 17:08 opk12

I installed ejabberd in a container and was puzzled on why the executable requires a specific user name. I have an official Debian 13 (stable) install in a systemd container and ejabberdctl terminates when trying to start it. I do not use (and trust) Docker.

You should clarify how exactly you install ejabberd, what method, and show other counter-examples that have some feature you envy.

badlop avatar Aug 15 '25 21:08 badlop