How to protect saslauthd with systemd

This example shows how to run the saslauthd daemon unprivileged on operating systems from Red Hat. See Red Hat's manual page saslauthd(8) for additional information.

Add system users that need to communicate with the saslauthd daemon to the group saslauth. Restart the services that use these system users.

Create the directory /etc/systemd/system/saslauthd.service.d and the file /etc/systemd/system/saslauthd.service.d/user.conf.

[Service]
User=saslauth
Group=saslauth
RuntimeDirectoryMode=0750
IPAddressAllow=localhost
IPAddressDeny=any
CapabilityBoundingSet=
DevicePolicy=closed
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
PrivateNetwork=no
PrivateTmp=yes
PrivateDevices=yes
PrivateUsers=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
ProtectClock=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectProc=invisible
ProcSubset=pid
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RemoveIPC=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
SystemCallFilter=~@resources

The settings IPAddressAllow=localhost and IPAddressDeny=any restrict the network access to services on the saslauthd daemon's host. Adapt or remove these settings if your LDAP servers are on remote hosts. See systemd.resource-control(5) for details. Depending on your saslauthd setup you may have to tune other settings. See systemd.exec(5) for more information.

Check your systemd configuration with:

systemd-analyze security saslauthd.service

Enable your configuration with:

systemctl daemon-reload
systemctl restart saslauthd.service

Test your new setup:

unset HISTFILE
/usr/sbin/testsaslauthd -s login -u $USER -p 'your password'

Adapt the systemd configuration if your security settings are too tight.