tmakinen/puppet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sasl: Do not run saslauthd as root on centos/fedora/rhel

Browse source
This commit is contained in:
Timo Makinen 2014-11-27 15:15:51 +02:00
parent 6b4ab40c93
commit 15bb080b46
1 changed files with 33 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
sasl/manifests/init.pp
View file

@ -39,6 +39,10 @@ class sasl::client {
#
# For ldap authentication, see ldap::client for required global variables.
#
# When using kerberos5 mech on CentOS, Fedora or RedHat system
# the saslauthd is ran as saslauth user and uses host/$FQDN from
# /etc/saslauthd.keytab for authentication.
#
class sasl::saslauthd {
require sasl::client
@ -55,6 +59,7 @@ class sasl::saslauthd {
changes => "set MECH ldap",
notify => Service["saslauthd"],
}
$user = "saslauth"
}
"openbsd": {
Service["saslauthd"] {
@ -87,9 +92,12 @@ class sasl::saslauthd {
"centos","fedora","redhat": {
augeas { "set-saslauthd-mech":
context => "/files/etc/sysconfig/saslauthd",
changes => "set MECH kerberos5",
changes => [ "set MECH kerberos5",
"set KRB5_KTNAME '\"/etc/saslauthd.keytab\"'",
"set @export KRB5_KTNAME", ],
notify => Service["saslauthd"],
}
$user = "saslauth"
}
"openbsd": {
Service["saslauthd"] {
@ -118,6 +126,30 @@ class sasl::saslauthd {
}
}
if $user {
case $::operatingsystem {
"centos","fedora","redhat": {
file { "/var/run/saslauthd":
ensure => directory,
mode => "0755",
owner => $user,
group => $user,
before => Service["saslauthd"],
}
augeas { "set-saslauthd-user":
context => "/files/etc/sysconfig/saslauthd",
changes => "set DAEMONOPTS '\"--user ${user}\"'",
notify => Service["saslauthd"],
}
}
default: {
fail("Running saslauthd as non root not supported on ${::operatingsystem}")
}
}
} else {
$user = "root"
}
service { "saslauthd":
ensure => running,
enable => true,