Date: Wed, 27 Jan 2021 16:28:30 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 253049] security/cyrus-sasl2-saslauthd: allow runing as unprivileged user Message-ID: <bug-253049-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D253049 Bug ID: 253049 Summary: security/cyrus-sasl2-saslauthd: allow runing as unprivileged user Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: ume@FreeBSD.org Reporter: ml@netfence.it Flags: maintainer-feedback?(ume@FreeBSD.org) Assignee: ume@FreeBSD.org Created attachment 221966 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D221966&action= =3Dedit SVN patch Quoting saslauthd manual, "When running against a protected authentication database (e.g. the shadow mechanism), it must be run as the superuser. Otherwise it is recommended to run daemon unprivileged as saslauth:saslauth= ". However, the port RC script does not allow this and always starts the daemo= n as root. The attached patch allows running as a different user, by setting "saslauthd_user" in /etc/rc.conf (or equivalent). Notice: _ to comply with POLA, the default user is still root, so everything works = as before unless config is explicitly changed; _ the port creates /var/run/saslauthd owned by cyrus:mail, so the only sens= ible choice is "saslauthd_user=3Dcyrus", unless those permissions are changed. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-253049-7788>