By default smapd runs with the privileges of the user that
started it. Normally, this user is root. If you wish it to switch to
some unprivileged user after startup, use the user
configuration statement:
user daemon
The above example instructs smapd to switch to the UID of
the user ‘daemon’ and to the GID of its principal group. The
rest of groups the user might be a member of is dropped. To retain
all supplementary user groups, use the allgroup statement. Its
argument is a boolean value, i.e. ‘yes’, ‘on’,
‘true’, or ‘t’ to indicate the true value,
and ‘no’, ‘off’, ‘false’ or ‘nil’ to indicate
false. So, to switch to the user ‘daemon’ and also retain
all its supplementary groups, one would write:
user daemon allgroups yes
You may also retain only some of the user’s group, or even some
groups the user is not member of. This is done using the group
statement:
user daemon group mail mysql
Arguments to group are any number of valid group names.
Notice, that while running smapd with non-root privileges
might be a good idea, it may render some modules useless. For
example, the mailutils module in ‘mbq’ mode (see mbq)
requires root privileges for normal operation. To allow for
such uses, instead of setting global user privileges, set them
on a per-server basis. See servers, for a detailed discussion of
this technique.