[Bug 253049] security/cyrus-sasl2-saslauthd: allow runing as unprivileged user

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253049

            Bug ID: 253049
           Summary: security/cyrus-sasl2-saslauthd: allow runing as
                    unprivileged user
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: ume at FreeBSD.org
          Reporter: ml at netfence.it
             Flags: maintainer-feedback?(ume at FreeBSD.org)
          Assignee: ume at FreeBSD.org

Created attachment 221966
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=221966&action=edit
SVN patch

Quoting saslauthd manual, "When running against a protected authentication
database (e.g. the shadow mechanism), it must be run as the superuser.
Otherwise it is recommended to run daemon unprivileged as saslauth:saslauth".

However, the port RC script does not allow this and always starts the daemon as
root.

The attached patch allows running as a different user, by setting
"saslauthd_user" in /etc/rc.conf (or equivalent).

Notice:
_ to comply with POLA, the default user is still root, so everything works as
before unless config is explicitly changed;
_ the port creates /var/run/saslauthd owned by cyrus:mail, so the only sensible
choice is "saslauthd_user=cyrus", unless those permissions are changed.

-- 
You are receiving this mail because:
You are the assignee for the bug.