From d0770bfa1bc6e653a882ed04a427af922dea33a8 Mon Sep 17 00:00:00 2001 From: Mark <1515135+MarkKoz@users.noreply.github.com> Date: Thu, 22 Aug 2024 21:58:03 -0700 Subject: Run saslauthd under the "sasl" user & group To improve security, run it as a new "sasl" user rather than as root. The existing "sasl" group is re-used. Note that Ansible does not provide an agnostic way to configure the user and group for a service. This change couples the configuration to systemd. Resolves #478 --- ansible/roles/sasl/files/user.conf | 3 +++ ansible/roles/sasl/tasks/main.yml | 24 +++++++++++++++++++++++- 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 ansible/roles/sasl/files/user.conf (limited to 'ansible') diff --git a/ansible/roles/sasl/files/user.conf b/ansible/roles/sasl/files/user.conf new file mode 100644 index 0000000..71536f1 --- /dev/null +++ b/ansible/roles/sasl/files/user.conf @@ -0,0 +1,3 @@ +[Service] +User=sasl +Group=sasl diff --git a/ansible/roles/sasl/tasks/main.yml b/ansible/roles/sasl/tasks/main.yml index f7884e3..e0ac221 100644 --- a/ansible/roles/sasl/tasks/main.yml +++ b/ansible/roles/sasl/tasks/main.yml @@ -9,6 +9,27 @@ tags: - role::sasl +- name: Create SASL authentication daemon user + user: + name: sasl + group: sasl + system: true + tags: + - role::sasl + +- name: Copy service user configuration for SASL authentication daemon + template: + src: user.conf + dest: /etc/systemd/system/saslauthd.service.d/user.conf + mode: "0640" + owner: root + group: root + tags: + - role::sasl + notify: + - Restart SASL + register: sasl_systemd_override + - name: Update SASL authentication daemon preferences lineinfile: path: /etc/default/saslauthd @@ -63,9 +84,10 @@ # END temporary tasks. Can be removed after initial deploy. - name: Enable and start SASL authentication daemon - service: + systemd_service: name: saslauthd state: started enabled: true + daemon_reload: "{{ sasl_systemd_override is changed }}" tags: - role::sasl -- cgit v1.2.3