My takeaway from the above is that the daemon service itself still runs as root, just the group name changes, so for the specific scenario raised in question #2 it looks like the daemon's read access to root only files like shadow would be unaffected. Similarly, the issue I raised in "Where Problems May Occur" due to root ownership of files in /var/run/saslauthd would not be exhibited by read (or write) errors by the daemon itself.
Indeed, it appears the contents of /var/run/saslauthd are cleared when the daemon stops, or is restarted, so if there *was* an issue with files in the run directory it should present immediately at service stop/start/restart: $ sudo systemctl stop saslauthd $ sudo ls /var/run/saslauthd/ -l ls: cannot access '/var/run/saslauthd/': No such file or directory $ sudo systemctl start saslauthd $ sudo ls /var/run/saslauthd/ -l total 968 -rw------- 1 root sasl 0 Oct 3 16:38 cache.flock -rw------- 1 root sasl 986112 Oct 3 16:38 cache.mmap srwxrwxrwx 1 root sasl 0 Oct 3 16:38 mux -rw------- 1 root sasl 0 Oct 3 16:38 mux.accept -rw------- 1 root sasl 6 Oct 3 16:38 saslauthd.pid $ sudo systemctl restart saslauthd $ sudo ls /var/run/saslauthd/ -l total 968 -rw------- 1 root sasl 0 Oct 3 16:38 cache.flock -rw------- 1 root sasl 986112 Oct 3 16:38 cache.mmap srwxrwxrwx 1 root sasl 0 Oct 3 16:38 mux -rw------- 1 root sasl 0 Oct 3 16:38 mux.accept -rw------- 1 root sasl 6 Oct 3 16:38 saslauthd.pid $ sleep 60 $ sudo systemctl restart saslauthd $ sudo ls /var/run/saslauthd/ -l total 968 -rw------- 1 root sasl 0 Oct 3 16:39 cache.flock -rw------- 1 root sasl 986112 Oct 3 16:39 cache.mmap srwxrwxrwx 1 root sasl 0 Oct 3 16:39 mux -rw------- 1 root sasl 0 Oct 3 16:39 mux.accept -rw------- 1 root sasl 6 Oct 3 16:39 saslauthd.pid $ sleep 120 $ sudo ls /var/run/saslauthd/ -l total 968 -rw------- 1 root sasl 0 Oct 3 16:39 cache.flock -rw------- 1 root sasl 986112 Oct 3 16:39 cache.mmap srwxrwxrwx 1 root sasl 0 Oct 3 16:39 mux -rw------- 1 root sasl 0 Oct 3 16:39 mux.accept -rw------- 1 root sasl 6 Oct 3 16:39 saslauthd.pid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2078851 Title: saslauthd wrong permission of /var/spool/postfix/var/run/saslauthd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/2078851/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
