Add and document ability to run saslauth as non-root user, revert previous solution (#1189203)

This commit is contained in:
Jakub Jelen 2015-03-11 13:10:26 +01:00
parent 25b0bbbdb6
commit af2b298796
3 changed files with 38 additions and 2 deletions

View File

@ -0,0 +1,33 @@
diff --git a/saslauthd/saslauthd.mdoc b/saslauthd/saslauthd.mdoc
index 37c6f6e..5b635ab 100644
--- a/saslauthd/saslauthd.mdoc
+++ b/saslauthd/saslauthd.mdoc
@@ -44,7 +44,27 @@ multi-user mode. When running against a protected authentication
database (e.g. the
.Li shadow
mechanism),
-it must be run as the superuser.
+it must be run as the superuser. Otherwise it is recommended to run
+daemon unprivileged as saslauth:saslauth. You can do so by following
+these steps:
+.Bl -enum -compact
+.It
+create directory
+.Pa /etc/systemd/system/saslauthd.service.d/
+.It
+create file
+.Pa /etc/systemd/system/saslauthd.service.d/user.conf
+with content
+.Bd -literal
+[Service]
+User=saslauth
+Group=saslauth
+
+.Ed
+.It
+Reload systemd service file: run
+.Dq systemctl daemon-reload
+.El
.Ss Options
Options named by lower\-case letters configure the server itself.
Upper\-case options control the behavior of specific authentication

View File

@ -58,6 +58,8 @@ Patch53: cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch
Patch54: cyrus-sasl-2.1.26-sample-leak.patch Patch54: cyrus-sasl-2.1.26-sample-leak.patch
# Do not leak memory memory leak in plugin_common.c for password callback (#1191183) # Do not leak memory memory leak in plugin_common.c for password callback (#1191183)
Patch55: cyrus-sasl-2.1.26-leak-callback-plugin_common.patch Patch55: cyrus-sasl-2.1.26-leak-callback-plugin_common.patch
# Document ability to run saslauthd unprivileged (#1189203)
Patch56: cyrus-sasl-2.1.26-saslauthd-user.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: autoconf, automake, libtool, gdbm-devel, groff BuildRequires: autoconf, automake, libtool, gdbm-devel, groff
@ -204,6 +206,7 @@ chmod -x include/*.h
%patch53 -p1 -b .sha1vsplain %patch53 -p1 -b .sha1vsplain
%patch54 -p1 -b .leak %patch54 -p1 -b .leak
%patch55 -p1 -b .password-callback %patch55 -p1 -b .password-callback
%patch56 -p1 -b .man-unprivileged
%build %build
@ -378,7 +381,7 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
%config(noreplace) /etc/sysconfig/saslauthd %config(noreplace) /etc/sysconfig/saslauthd
%{_unitdir}/saslauthd.service %{_unitdir}/saslauthd.service
%{_tmpfilesdir}/saslauthd.conf %{_tmpfilesdir}/saslauthd.conf
%dir %attr(-, saslauth, saslauth) /run/saslauthd %dir %attr(0775, root, saslauth) /run/saslauthd
%files lib %files lib
%defattr(-,root,root) %defattr(-,root,root)

View File

@ -1 +1 @@
d /run/saslauthd 0755 saslauth saslauth - d /run/saslauthd 0775 root saslauth -