[Bug 199314] net/haproxy: create haproxy user, install sample config

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=199314

            Bug ID: 199314
           Summary: net/haproxy: create haproxy user, install sample
                    config
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: demon at FreeBSD.org
          Reporter: feld at FreeBSD.org
             Flags: maintainer-feedback?(demon at FreeBSD.org)
          Assignee: demon at FreeBSD.org

Created attachment 155368
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=155368&action=edit
haproxy port patch

Hello,

This patch installs a sample config from the EXAMPLES dir already modified to
use a new haproxy uid and gid. It also has chroot enabled to the /var/empty
directory which should be sufficient.

This should help alleviate damage from a future haproxy exploit as haproxy
would not be running as root.

Unfortunately we cannot just force haproxy to always run as root via the rc
script as haproxy may need to listen on reserved ports (<1024) to proxy 80,
443, etc.

It would be wise to encourage users in pkg-message to update their
configurations to use the haproxy user, but I have not composed such a message.

-- 
You are receiving this mail because:
You are the assignee for the bug.