From 15bb080b463962fd986049daa278f2c971b06dbb Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 27 Nov 2014 15:15:51 +0200 Subject: [PATCH] sasl: Do not run saslauthd as root on centos/fedora/rhel --- sasl/manifests/init.pp | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/sasl/manifests/init.pp b/sasl/manifests/init.pp index c3d9840..00816e0 100644 --- a/sasl/manifests/init.pp +++ b/sasl/manifests/init.pp @@ -39,6 +39,10 @@ class sasl::client { # # For ldap authentication, see ldap::client for required global variables. # +# When using kerberos5 mech on CentOS, Fedora or RedHat system +# the saslauthd is ran as saslauth user and uses host/$FQDN from +# /etc/saslauthd.keytab for authentication. +# class sasl::saslauthd { require sasl::client @@ -55,6 +59,7 @@ class sasl::saslauthd { changes => "set MECH ldap", notify => Service["saslauthd"], } + $user = "saslauth" } "openbsd": { Service["saslauthd"] { @@ -87,9 +92,12 @@ class sasl::saslauthd { "centos","fedora","redhat": { augeas { "set-saslauthd-mech": context => "/files/etc/sysconfig/saslauthd", - changes => "set MECH kerberos5", + changes => [ "set MECH kerberos5", + "set KRB5_KTNAME '\"/etc/saslauthd.keytab\"'", + "set @export KRB5_KTNAME", ], notify => Service["saslauthd"], } + $user = "saslauth" } "openbsd": { Service["saslauthd"] { @@ -118,6 +126,30 @@ class sasl::saslauthd { } } + if $user { + case $::operatingsystem { + "centos","fedora","redhat": { + file { "/var/run/saslauthd": + ensure => directory, + mode => "0755", + owner => $user, + group => $user, + before => Service["saslauthd"], + } + augeas { "set-saslauthd-user": + context => "/files/etc/sysconfig/saslauthd", + changes => "set DAEMONOPTS '\"--user ${user}\"'", + notify => Service["saslauthd"], + } + } + default: { + fail("Running saslauthd as non root not supported on ${::operatingsystem}") + } + } + } else { + $user = "root" + } + service { "saslauthd": ensure => running, enable => true,