From af2b2987969c6c7118bcc45e23c6d23a2a390f9d Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Wed, 11 Mar 2015 13:10:26 +0100 Subject: [PATCH] Add and document ability to run saslauth as non-root user, revert previous solution (#1189203) --- cyrus-sasl-2.1.26-saslauthd-user.patch | 33 ++++++++++++++++++++++++++ cyrus-sasl.spec | 5 +++- saslauthd.tmpfiles | 2 +- 3 files changed, 38 insertions(+), 2 deletions(-) create mode 100644 cyrus-sasl-2.1.26-saslauthd-user.patch diff --git a/cyrus-sasl-2.1.26-saslauthd-user.patch b/cyrus-sasl-2.1.26-saslauthd-user.patch new file mode 100644 index 0000000..cace375 --- /dev/null +++ b/cyrus-sasl-2.1.26-saslauthd-user.patch @@ -0,0 +1,33 @@ +diff --git a/saslauthd/saslauthd.mdoc b/saslauthd/saslauthd.mdoc +index 37c6f6e..5b635ab 100644 +--- a/saslauthd/saslauthd.mdoc ++++ b/saslauthd/saslauthd.mdoc +@@ -44,7 +44,27 @@ multi-user mode. When running against a protected authentication + database (e.g. the + .Li shadow + mechanism), +-it must be run as the superuser. ++it must be run as the superuser. Otherwise it is recommended to run ++daemon unprivileged as saslauth:saslauth. You can do so by following ++these steps: ++.Bl -enum -compact ++.It ++create directory ++.Pa /etc/systemd/system/saslauthd.service.d/ ++.It ++create file ++.Pa /etc/systemd/system/saslauthd.service.d/user.conf ++with content ++.Bd -literal ++[Service] ++User=saslauth ++Group=saslauth ++ ++.Ed ++.It ++Reload systemd service file: run ++.Dq systemctl daemon-reload ++.El + .Ss Options + Options named by lower\-case letters configure the server itself. + Upper\-case options control the behavior of specific authentication diff --git a/cyrus-sasl.spec b/cyrus-sasl.spec index 78890a8..5ed7a4a 100644 --- a/cyrus-sasl.spec +++ b/cyrus-sasl.spec @@ -58,6 +58,8 @@ Patch53: cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch Patch54: cyrus-sasl-2.1.26-sample-leak.patch # Do not leak memory memory leak in plugin_common.c for password callback (#1191183) Patch55: cyrus-sasl-2.1.26-leak-callback-plugin_common.patch +# Document ability to run saslauthd unprivileged (#1189203) +Patch56: cyrus-sasl-2.1.26-saslauthd-user.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: autoconf, automake, libtool, gdbm-devel, groff @@ -204,6 +206,7 @@ chmod -x include/*.h %patch53 -p1 -b .sha1vsplain %patch54 -p1 -b .leak %patch55 -p1 -b .password-callback +%patch56 -p1 -b .man-unprivileged %build @@ -378,7 +381,7 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir} %config(noreplace) /etc/sysconfig/saslauthd %{_unitdir}/saslauthd.service %{_tmpfilesdir}/saslauthd.conf -%dir %attr(-, saslauth, saslauth) /run/saslauthd +%dir %attr(0775, root, saslauth) /run/saslauthd %files lib %defattr(-,root,root) diff --git a/saslauthd.tmpfiles b/saslauthd.tmpfiles index b3e48c5..0b28cd3 100644 --- a/saslauthd.tmpfiles +++ b/saslauthd.tmpfiles @@ -1 +1 @@ -d /run/saslauthd 0755 saslauth saslauth - +d /run/saslauthd 0775 root saslauth -