Randy McMurchy wrote: > Claus Regelmann wrote these words on 10/30/09 17:10 CST: >> The BLFS-installation instuction for cyrus-sasl says: >> 'install -v -m700 -d /var/lib/sasl /var/run/saslauthd' >> this restricts access to '/var/run/saslauthd/mux' to >> processes running with root privs. >> >> I just recognized this problem, when installing/testing cyrus-imapd from >> scratch. >> I followed the cyrus instructions to run the service under an unpriv >> user(cyrus), >> and I set its authentication method to 'sasl_pwcheck_method:saslauthd' >> >> Setting the privs for '/var/run/saslauthd' 711 works. > > Thanks for this information. I suppose it is the imapd that suggests > using a unpriv user? Or is this in the Cyrus-SASL package instructions? > I'll see if can't work up a ticket for this. >
'saslauthd' is a daemon running with root privs (therefore has access all system resources) It provides an authentication services to unpriv process via the UNIX-socket '/var/run/saslauthd/mux'. If the permissions of the directory '/var/run/saslauthd' are set to '700', and the owner of this directory is 'root', no unpriv process will able to communicate with saslauthd because it cannot even enter into directory to open the socket. -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
