[Bug 253049] security/cyrus-sasl2-saslauthd: allow runing as unprivileged user
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Jan 27 16:28:30 UTC 2021
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253049
Bug ID: 253049
Summary: security/cyrus-sasl2-saslauthd: allow runing as
unprivileged user
Product: Ports & Packages
Version: Latest
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: Individual Port(s)
Assignee: ume at FreeBSD.org
Reporter: ml at netfence.it
Flags: maintainer-feedback?(ume at FreeBSD.org)
Assignee: ume at FreeBSD.org
Created attachment 221966
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=221966&action=edit
SVN patch
Quoting saslauthd manual, "When running against a protected authentication
database (e.g. the shadow mechanism), it must be run as the superuser.
Otherwise it is recommended to run daemon unprivileged as saslauth:saslauth".
However, the port RC script does not allow this and always starts the daemon as
root.
The attached patch allows running as a different user, by setting
"saslauthd_user" in /etc/rc.conf (or equivalent).
Notice:
_ to comply with POLA, the default user is still root, so everything works as
before unless config is explicitly changed;
_ the port creates /var/run/saslauthd owned by cyrus:mail, so the only sensible
choice is "saslauthd_user=cyrus", unless those permissions are changed.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list