Building GNU Termcap and Linux-PAM using the updated toolchain both
failed, since crosstool-NG now uses GCC 14.x, which turns the
"implicit-function-declaration" warning into an error. See:
https://gcc.gnu.org/gcc-14/porting_to.html#warnings-as-errors
Therefore, specify "CFLAGS=-Wno-error=implicit-function-declaration" to
turn this error back into a warning.
Stick to Linux-PAM version 1.6.1 for the moment. Newer Linux-PAM
versions are built using Meson instead of Autotools, so we need to add
that to our toolchain before being able to update Linux-PAM.
process_privilege_iq is meant to rewrite the result of a privileged IQ into
the forwarded form required by XEP-0356 so it can be routed back to the
original privileged requester. It checks whether the impersonated JID
(`ReplacedJid`) of the original request matches the recipient of the IQ
being processed to determine if this is a response to a a privileged IQ
(assuming it has privileged-IQ metadata attached).
Unfortunately, it doesn't check the packet type, and this check will also
match a privileged-IQ _request_ that is being sent to the same user that's
being impersonated. This results in the request itself being rewritten and
forwarded back to the sending component, instead of being processed and
having the result send back.
Instead, just check for IQ results (either a regular result or an error),
and as long as it is marked as being a response to a privileged-IQ, always
rewrite it and forward it to the sending component. There's no circumstance
under which we _shouldn't_ forward a privileged-IQ response, so we don't
need to be tricky about checking whether impersonated-user and recipient
match.
mod_privilege current drops any non-privileged IQ received from a component
with an error about it not being properly wrapped. While this might
represent a mistake on the part of the component, it means that well-
behaved components can no longer send non-privileged IQs (something they
normally can do if mod_privilege isn't enabled).
Since mod_privilege is intended to grant additional permissions, and not
remove existing ones, route non-privileged IQs received from the component
normally.
This also removes the special-case for roster-query IQ stanzas, since
those are also non-privileged and will be routed along with any other
non-privileged IQ packet. This mirrors the privileged-IQ/everything-else
structure of the XEP, which defined the handling of privileged IQ
stanzas and leaves all other IQ stanzas as defined in their own specs.
To make this clearer, the predicate function now returns distinct
results indicating privileged IQs, non-privileged IQs, and error
conditions, rather than treating non-privilege IQs as an error that gets
handled by routing the packet normally.
Clients publish invalid bookmark elements in practice (e.g., bookmarks
with an empty <nick/> element). The server admin can't address that
issue, so don't spam the log with warnings.
Enable some modules so ejabberd creates their SQL tables
and later those tables can be updated without errors by mod_admin_update_sql
when ci.yml calls "make test" to check update_sql.
However, mod_shared_roster should be stopped before running the actual tests,
as it introduces undesired IQ queries
On the other hand, a few SQL tables are global RAM, and cannot be created
in SQL just for a vhost that is not the first one defined.
