From a7c558d85f44fe567cb458804da4eefa52efbcf2 Mon Sep 17 00:00:00 2001
From: EuAndreh <eu@euandre.org>
Date: Wed, 30 Nov 2022 17:37:07 -0300
Subject: queue.scm: Do not run saslauthd under root

---
 src/xyz/euandreh/queue.scm | 37 ++++++++++++++++++++++++++++++-------
 1 file changed, 30 insertions(+), 7 deletions(-)

(limited to 'src/xyz/euandreh')

diff --git a/src/xyz/euandreh/queue.scm b/src/xyz/euandreh/queue.scm
index 5c76b8d..cca1354 100644
--- a/src/xyz/euandreh/queue.scm
+++ b/src/xyz/euandreh/queue.scm
@@ -329,7 +329,7 @@ collections.OrderedDict that works in Python 2.4-2.6.")
   shadow-group-configuration
   make-shadow-group-configuration
   shadow-group-configuration?
-  (group shadow-group-configuration-group (default "shadow")))
+  (group shadow-group-configuration-group (default "etc-shadow")))
 
 (define (shadow-group-activation config)
   (match-record config <shadow-group-configuration>
@@ -376,10 +376,13 @@ collections.OrderedDict that works in Python 2.4-2.6.")
   cyrus-sasl-configuration
   make-cyrus-sasl-configuration
   cyrus-sasl-configuration?
-  (cyrus-sasl cyrus-sasl-configuration-cyrus-sasl (default cyrus-sasl))
-  (authmech   cyrus-sasl-configuration-authmech   (default "shadow"))
-  (services   cyrus-sasl-configuration-services   (default '()))
-  (state-dir  cyrus-sasl-configuration-state-dir  (default "/var/lib/saslauthd")))
+  (cyrus-sasl   cyrus-sasl-configuration-cyrus-sasl   (default cyrus-sasl))
+  (user         cyrus-sasl-configuration-user         (default "cyrus-sasl"))
+  (group        cyrus-sasl-configuration-group        (default "cyrus-sasl"))
+  (extra-groups cyrus-sasl-configuration-extra-groups (default '("etc-shadow")))
+  (authmech     cyrus-sasl-configuration-authmech     (default "shadow"))
+  (services     cyrus-sasl-configuration-services     (default '()))
+  (state-dir    cyrus-sasl-configuration-state-dir    (default "/var/lib/saslauthd")))
 
 (define (cyrus-sasl-etc-files config)
   (match-record config <cyrus-sasl-configuration>
@@ -408,9 +411,25 @@ collections.OrderedDict that works in Python 2.4-2.6.")
          "Creating Cyrus SASL socket directory: \"~a\".~%" #$state-dir)
         (mkdir-p #$state-dir))))
 
+(define (cyrus-sasl-accounts config)
+  (match-record config <cyrus-sasl-configuration>
+      (user group extra-groups)
+    (list
+     (user-account
+       (name user)
+       (group group)
+       (supplementary-groups extra-groups)
+       (comment "Cyrus SASL system user")
+       (home-directory "/var/empty")
+       (shell (file-append shadow "/sbin/nologin"))
+       (system? #t))
+     (user-group
+       (name group)
+       (system? #t)))))
+
 (define (cyrus-sasl-shepherd-service config)
   (match-record config <cyrus-sasl-configuration>
-      (cyrus-sasl authmech state-dir)
+      (cyrus-sasl user group authmech state-dir)
     (list
      (shepherd-service
        (provision '(cyrus-sasl))
@@ -422,7 +441,9 @@ collections.OrderedDict that works in Python 2.4-2.6.")
                   #$authmech
                   "-d"
                   "-m"
-                  #$state-dir)))
+                  #$state-dir)
+                 #:user  #$user
+                 #:group #$group))
        (stop #~(make-kill-destructor))))))
 
 (define cyrus-sasl-service-type
@@ -436,6 +457,8 @@ collections.OrderedDict that works in Python 2.4-2.6.")
                           cyrus-sasl-activation)
        (service-extension profile-service-type
                           (compose list cyrus-sasl-configuration-cyrus-sasl))
+       (service-extension account-service-type
+                          cyrus-sasl-accounts)
        (service-extension shepherd-root-service-type
                           cyrus-sasl-shepherd-service)))
     (compose srfi-1:concatenate)
-- 
cgit v1.2.3