Created attachment 221966 [details] SVN patch Quoting saslauthd manual, "When running against a protected authentication database (e.g. the shadow mechanism), it must be run as the superuser. Otherwise it is recommended to run daemon unprivileged as saslauth:saslauth". However, the port RC script does not allow this and always starts the daemon as root. The attached patch allows running as a different user, by setting "saslauthd_user" in /etc/rc.conf (or equivalent). Notice: _ to comply with POLA, the default user is still root, so everything works as before unless config is explicitly changed; _ the port creates /var/run/saslauthd owned by cyrus:mail, so the only sensible choice is "saslauthd_user=cyrus", unless those permissions are changed.
Good catch. Reflecting upon the problem, its as though we need a new default user to "manage" the authentication stream. Perhaps auth:*:6:10:Authentication pseudo-user:/var/empty:/usr/sbin/nologin because its also ldap, pam, heimdal, samba... :)
Thanks for your report. However, it is intentional, and you do not need your patch to change user. You can change user by just putting `saslauthd_user=XXX' into /etc/rc.conf.