Run saslauthd under the "sasl" user & group

To improve security, run it as a new "sasl" user rather than as root.
The existing "sasl" group is re-used.

Note that Ansible does not provide an agnostic way to configure the
user and group for a service. This change couples the configuration to
systemd.

Resolves #478

2 files changed, 26 insertions, 1 deletions

diff --git a/ansible/roles/sasl/files/user.conf b/ansible/roles/sasl/files/user.conf
new file mode 100644
index 0000000..71536f1
--- /dev/null
+++ b/ansible/roles/sasl/files/user.conf
@@ -0,0 +1,3 @@
+[Service]
+User=sasl
+Group=sasl
diff --git a/ansible/roles/sasl/tasks/main.yml b/ansible/roles/sasl/tasks/main.yml
index f7884e3..e0ac221 100644
--- a/ansible/roles/sasl/tasks/main.yml
+++ b/ansible/roles/sasl/tasks/main.yml
@@ -9,6 +9,27 @@
   tags:
     - role::sasl
 
+- name: Create SASL authentication daemon user
+  user:
+    name: sasl
+    group: sasl
+    system: true
+  tags:
+    - role::sasl
+
+- name: Copy service user configuration for SASL authentication daemon
+  template:
+    src: user.conf
+    dest: /etc/systemd/system/saslauthd.service.d/user.conf
+    mode: "0640"
+    owner: root
+    group: root
+  tags:
+    - role::sasl
+  notify:
+    - Restart SASL
+  register: sasl_systemd_override
+
 - name: Update SASL authentication daemon preferences
   lineinfile:
     path: /etc/default/saslauthd
@@ -63,9 +84,10 @@
 # END temporary tasks. Can be removed after initial deploy.
 
 - name: Enable and start SASL authentication daemon
-  service:
+  systemd_service:
     name: saslauthd
     state: started
     enabled: true
+    daemon_reload: "{{ sasl_systemd_override is changed }}"
   tags:
     - role::sasl