Description of problem:
The current init script starts PyICQt as root which is a security risk. Instead it should be run as an unprivileged user. I did a few changes to get this working:
- change permissions for /etc/pyicq-t/ (the config file is confidential because a clear text password is saved in it), /var/spool/pyicq-t (is also confidential because all user icq passwords are saved in there)
- create a directory for the pid-file /var/run/pyicq-t and change permissions
The init-script was changed in several ways. Now it uses the daemon function which starts the application nicely and also changes automatically to the unprivilged user "pyicqt". Also the init-script shouldn't call "python PyICQt.py" instead it should execute the python script as an executable. This makes it easier to write a SELinux policy. Additionally I changed the chkconfig start paramter to 99. Because ejabberd starts at 40 but needs a couple of seconds to initialize the port where PyICQt will connect to. But if PyICQt is started to early and ejabberd hasn't initialized the port then PyICQt will drop.
The base of the attached files are from pyicq-t-0.8.1.3-2.fc12.src.rpm
My PyICQt daemon is now running for a couple of weeks with the changes and everything works fine so I expect no trouble if you upstream it.
Created attachment 359162 [details]
Created attachment 359163 [details]
Created attachment 359164 [details]
pid file location changes
pyicq-t-0.8.1.5-5.fc11 has been submitted as an update for Fedora 11.
pyicq-t-0.8.1.5-5.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.