[cyrus-sasl] Add and document ability to run saslauth as non-root user, revert previous solution (#1189203)

[Jakub Jelen]

commit af2b2987969c6c7118bcc45e23c6d23a2a390f9d
Author: Jakub Jelen <jjelen at redhat.com>
Date:   Wed Mar 11 13:10:26 2015 +0100

    Add and document ability to run saslauth as non-root user, revert previous solution (#1189203)

 cyrus-sasl-2.1.26-saslauthd-user.patch | 33 +++++++++++++++++++++++++++++++++
 cyrus-sasl.spec                        |  5 ++++-
 saslauthd.tmpfiles                     |  2 +-
 3 files changed, 38 insertions(+), 2 deletions(-)
---
diff --git a/cyrus-sasl-2.1.26-saslauthd-user.patch b/cyrus-sasl-2.1.26-saslauthd-user.patch
new file mode 100644
index 0000000..cace375
--- /dev/null
+++ b/cyrus-sasl-2.1.26-saslauthd-user.patch
@@ -0,0 +1,33 @@
+diff --git a/saslauthd/saslauthd.mdoc b/saslauthd/saslauthd.mdoc
+index 37c6f6e..5b635ab 100644
+--- a/saslauthd/saslauthd.mdoc
++++ b/saslauthd/saslauthd.mdoc
+@@ -44,7 +44,27 @@ multi-user mode. When running against a protected authentication
+ database (e.g. the
+ .Li shadow
+ mechanism),
+-it must be run as the superuser.
++it must be run as the superuser. Otherwise it is recommended to run
++daemon unprivileged as saslauth:saslauth. You can do so by following
++these steps:
++.Bl -enum -compact
++.It
++create directory
++.Pa /etc/systemd/system/saslauthd.service.d/
++.It
++create file
++.Pa /etc/systemd/system/saslauthd.service.d/user.conf
++with content
++.Bd -literal
++[Service]
++User=saslauth
++Group=saslauth
++
++.Ed
++.It
++Reload systemd service file: run
++.Dq systemctl daemon-reload
++.El
+ .Ss Options
+ Options named by lower\-case letters configure the server itself.
+ Upper\-case options control the behavior of specific authentication
diff --git a/cyrus-sasl.spec b/cyrus-sasl.spec
index 78890a8..5ed7a4a 100644
--- a/cyrus-sasl.spec
+++ b/cyrus-sasl.spec
@@ -58,6 +58,8 @@ Patch53: cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch
 Patch54: cyrus-sasl-2.1.26-sample-leak.patch
 # Do not leak memory memory leak in plugin_common.c for password callback (#1191183)
 Patch55: cyrus-sasl-2.1.26-leak-callback-plugin_common.patch
+# Document ability to run saslauthd unprivileged (#1189203)
+Patch56: cyrus-sasl-2.1.26-saslauthd-user.patch
 
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: autoconf, automake, libtool, gdbm-devel, groff
@@ -204,6 +206,7 @@ chmod -x include/*.h
 %patch53 -p1 -b .sha1vsplain
 %patch54 -p1 -b .leak
 %patch55 -p1 -b .password-callback
+%patch56 -p1 -b .man-unprivileged
 
 
 %build
@@ -378,7 +381,7 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
 %config(noreplace) /etc/sysconfig/saslauthd
 %{_unitdir}/saslauthd.service
 %{_tmpfilesdir}/saslauthd.conf
-%dir %attr(-, saslauth, saslauth) /run/saslauthd
+%dir %attr(0775, root, saslauth) /run/saslauthd
 
 %files lib
 %defattr(-,root,root)
diff --git a/saslauthd.tmpfiles b/saslauthd.tmpfiles
index b3e48c5..0b28cd3 100644
--- a/saslauthd.tmpfiles
+++ b/saslauthd.tmpfiles
@@ -1 +1 @@
-d /run/saslauthd 0755 saslauth saslauth -
+d /run/saslauthd 0775 root saslauth -