CYRUS-SASL: /var/run/saslauthd permissions

Claus Regelmann rgc at rgc1.inka.de
Fri Oct 30 17:36:53 PDT 2009


Randy McMurchy wrote:
> Claus Regelmann wrote these words on 10/30/09 17:10 CST:
>> The BLFS-installation instuction for cyrus-sasl says:
>> 'install -v -m700 -d /var/lib/sasl /var/run/saslauthd'
>> this restricts access to '/var/run/saslauthd/mux' to
>> processes running with root privs.
>>
>> I just recognized this problem, when installing/testing cyrus-imapd from scratch.
>> I followed the cyrus instructions to run the service under an unpriv user(cyrus),
>> and I set its authentication method to 'sasl_pwcheck_method:saslauthd'
>>
>> Setting the privs for '/var/run/saslauthd' 711 works.
> 
> Thanks for this information. I suppose it is the imapd that suggests
> using a unpriv user? Or is this in the Cyrus-SASL package instructions?
> I'll see if can't work up a ticket for this.
> 

'saslauthd' is a daemon running with root privs (therefore has access all system resources)
It provides an authentication services to unpriv process via the
  UNIX-socket '/var/run/saslauthd/mux'.
If the permissions of the directory '/var/run/saslauthd' are set to '700',
and the owner of this directory is 'root', no unpriv process will able to
communicate with saslauthd because it cannot even enter into directory to open the socket.









More information about the blfs-dev mailing list