Add and document ability to run saslauth as non-root user, revert previous solution (#1189203)
This commit is contained in:
Jakub Jelen
parent
25b0bbbdb6
commit
af2b298796
33
cyrus-sasl-2.1.26-saslauthd-user.patch
Normal file
33
cyrus-sasl-2.1.26-saslauthd-user.patch
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
diff --git a/saslauthd/saslauthd.mdoc b/saslauthd/saslauthd.mdoc
|
||||||
|
index 37c6f6e..5b635ab 100644
|
||||||
|
--- a/saslauthd/saslauthd.mdoc
|
||||||
|
+++ b/saslauthd/saslauthd.mdoc
|
||||||
|
@@ -44,7 +44,27 @@ multi-user mode. When running against a protected authentication
|
||||||
|
database (e.g. the
|
||||||
|
.Li shadow
|
||||||
|
mechanism),
|
||||||
|
-it must be run as the superuser.
|
||||||
|
+it must be run as the superuser. Otherwise it is recommended to run
|
||||||
|
+daemon unprivileged as saslauth:saslauth. You can do so by following
|
||||||
|
+these steps:
|
||||||
|
+.Bl -enum -compact
|
||||||
|
+.It
|
||||||
|
+create directory
|
||||||
|
+.Pa /etc/systemd/system/saslauthd.service.d/
|
||||||
|
+.It
|
||||||
|
+create file
|
||||||
|
+.Pa /etc/systemd/system/saslauthd.service.d/user.conf
|
||||||
|
+with content
|
||||||
|
+.Bd -literal
|
||||||
|
+[Service]
|
||||||
|
+User=saslauth
|
||||||
|
+Group=saslauth
|
||||||
|
+
|
||||||
|
+.Ed
|
||||||
|
+.It
|
||||||
|
+Reload systemd service file: run
|
||||||
|
+.Dq systemctl daemon-reload
|
||||||
|
+.El
|
||||||
|
.Ss Options
|
||||||
|
Options named by lower\-case letters configure the server itself.
|
||||||
|
Upper\-case options control the behavior of specific authentication
|
||||||
@ -58,6 +58,8 @@ Patch53: cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch
|
|||||||
Patch54: cyrus-sasl-2.1.26-sample-leak.patch
|
Patch54: cyrus-sasl-2.1.26-sample-leak.patch
|
||||||
# Do not leak memory memory leak in plugin_common.c for password callback (#1191183)
|
# Do not leak memory memory leak in plugin_common.c for password callback (#1191183)
|
||||||
Patch55: cyrus-sasl-2.1.26-leak-callback-plugin_common.patch
|
Patch55: cyrus-sasl-2.1.26-leak-callback-plugin_common.patch
|
||||||
|
# Document ability to run saslauthd unprivileged (#1189203)
|
||||||
|
Patch56: cyrus-sasl-2.1.26-saslauthd-user.patch
|
||||||
|
|
||||||
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||||
BuildRequires: autoconf, automake, libtool, gdbm-devel, groff
|
BuildRequires: autoconf, automake, libtool, gdbm-devel, groff
|
||||||
@ -204,6 +206,7 @@ chmod -x include/*.h
|
|||||||
%patch53 -p1 -b .sha1vsplain
|
%patch53 -p1 -b .sha1vsplain
|
||||||
%patch54 -p1 -b .leak
|
%patch54 -p1 -b .leak
|
||||||
%patch55 -p1 -b .password-callback
|
%patch55 -p1 -b .password-callback
|
||||||
|
%patch56 -p1 -b .man-unprivileged
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -378,7 +381,7 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
|
|||||||
%config(noreplace) /etc/sysconfig/saslauthd
|
%config(noreplace) /etc/sysconfig/saslauthd
|
||||||
%{_unitdir}/saslauthd.service
|
%{_unitdir}/saslauthd.service
|
||||||
%{_tmpfilesdir}/saslauthd.conf
|
%{_tmpfilesdir}/saslauthd.conf
|
||||||
%dir %attr(-, saslauth, saslauth) /run/saslauthd
|
%dir %attr(0775, root, saslauth) /run/saslauthd
|
||||||
|
|
||||||
%files lib
|
%files lib
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
|
|||||||
@ -1 +1 @@
|
|||||||
d /run/saslauthd 0755 saslauth saslauth -
|
d /run/saslauthd 0775 root saslauth -
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user