From eb2c9a45af5c9c100520cdfff6d9e15dbe39500d Mon Sep 17 00:00:00 2001
From: Johannes Christ <jc@jchri.st>
Date: Sun, 1 Sep 2024 16:05:23 +0200
Subject: Override runtime directory permissions

---
 ansible/roles/sasl/tasks/main.yml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

(limited to 'ansible')

diff --git a/ansible/roles/sasl/tasks/main.yml b/ansible/roles/sasl/tasks/main.yml
index 7f72260..6e7fb86 100644
--- a/ansible/roles/sasl/tasks/main.yml
+++ b/ansible/roles/sasl/tasks/main.yml
@@ -61,6 +61,29 @@
   notify:
     - Restart SASL
 
+# The sysvinit script checks for a dpkg-statoverride when first starting. If
+# one exists, it uses it, if none exists, ti creates the directory with
+# ownership u=root g=sasl m=710. With these two tasks, we check whether there's
+# a default override already specified (presumably from package installation)
+# and only set it if it's distinct, ensuring idempotency.
+- name: Check current overrides for runtime directory
+  command: dpkg-statoverride --list "{{ sasl_mux_path }}"
+  changed_when: false
+  register: sasl_statoverride_list
+  tags:
+    - role::sasl
+
+- name: Ask dpkg to create runtime directory as sasl user  # noqa: no-changed-when
+  command: "dpkg-statoverride --update --force-statoverride-add --add {{ statoverride_line }}"
+  tags:
+    - role::sasl
+  when:
+    # Only if necessary.
+    - sasl_statoverride_list.stdout_lines
+    - sasl_statoverride_list.stdout_lines[0] != statoverride_line
+  vars:
+    statoverride_line: "sasl sasl 710 {{ sasl_mux_path }}"
+
 - name: Copy SASL LDAP configuration
   template:
     src: saslauthd.conf.j2
-- 
cgit v1.2.3