From nobody Thu Oct 12 02:38:56 2023
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S5Yjr2gPLz4x52M;
	Thu, 12 Oct 2023 02:38:56 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4S5Yjr1mt1z4KWg;
	Thu, 12 Oct 2023 02:38:56 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1697078336;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=iLs5pMhVhaVsOsTpSM5CE1xnaGxftcx5/ZqbAgk83qc=;
	b=tGhieIKUHy+YgmphFaXSGeQnl9CnfN/PaXNXTEsqGoUiEZI/KSrXPisSciygIpknTLrQtd
	5dhqotk59Tp9cyihilwXXZUzbF8pUcUjLYHUYAgOXcBahIDx1tHtm/X7amonaH6jPvo+tk
	RiPA7J0htNkJWC9AElWk98IcqMYGkXE1EjZpHxQr/la0l6/8rR07zXUADxkHuTwd2m5Pbv
	h4/RyA3/JhZFPUGP6Of5l7bAsvRJVDAYhnv+MZkOHnVJYRKHMEJt3dN+4deIVR1EcFJ+Iq
	gQ0LIJV658VOmWXJAGUezYpgm4GR0aggWf5bhy1l1NOpD/jy1ff7ickxND8Sgw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1697078336; a=rsa-sha256; cv=none;
	b=KNsbUQ2dT/zcuFuw0J1w5vAkwyo22Wz/K9W94qA/7M/ukdQsZn0ndo+KL/UKYdIwgj6WoF
	KNsrzc8crsziSzcMnJigCM1svJCgsjwixL72Q5ZKjGRXRwAnABk//M/nobBbOM6Juf9wt5
	/dZdbPiZR01SGasNRnpVG/AahIkIYwBJK3aIGWM3nCCzGYImEiJopQHmDcFWesqvDQdQJa
	MWm6Jloyq1WxohHlF4/Y3GasBWEh3fkaNno582QUGm3o6EHrN9ju5hiPXf7jt51U4BtGn+
	jbyCOOJc0LcU+AYjQce+JNZ5YHocfJgamj6vJbO/bNKw+WKNDxIVTcILJpR4VA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1697078336;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=iLs5pMhVhaVsOsTpSM5CE1xnaGxftcx5/ZqbAgk83qc=;
	b=wY5CbAVZqt0Zg/XfkL5KAKFy1/jDCr6eRsf4IaARKdLka4n7UdrIum+iMTzdQCpYDI+WpU
	J0UOdvDhhU1Ae2EczHubc3yBnPAcbu6Mesbn7XA/xDAMeIuMZvJ4mTvwLUP1ivBDcLXomk
	pZ7BGiKyS3jK1m73B/mz8g3bvTKFrKi/cVYZlIxfSfgR64THBv/EqaD+kcBgGtsZWua8hr
	66ssTmmfWJjz82w07tZRiWZlCIlqr2lKVdmD15iQCczckIaWOdGwVoWmCWQ6Spnr54CD2L
	ZZ3xMtkCsy26zXH5lYarJTxniQAPd2hm5LGrQhAtLfx2xHiJMaKhiHREH/F7FQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4S5Yjr0sS3zmdL;
	Thu, 12 Oct 2023 02:38:56 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 39C2cuCN006804;
	Thu, 12 Oct 2023 02:38:56 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 39C2cuMZ006802;
	Thu, 12 Oct 2023 02:38:56 GMT
	(envelope-from git)
Date: Thu, 12 Oct 2023 02:38:56 GMT
Message-Id: <202310120238.39C2cuMZ006802@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Adam Weinberger <adamw@FreeBSD.org>
Subject: git: 0c01423b48aa - main - www/caddy: Secure the default
  admin API endpoint
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-all@freebsd.org
X-BeenThere: dev-commits-ports-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: adamw
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 0c01423b48aa7b63e795601c64af03322a594cae
Auto-Submitted: auto-generated

The branch main has been updated by adamw:

URL: https://cgit.FreeBSD.org/ports/commit/?id=0c01423b48aa7b63e795601c64af03322a594cae

commit 0c01423b48aa7b63e795601c64af03322a594cae
Author:     Thomas Hurst <tom@hur.st>
AuthorDate: 2023-10-12 02:32:01 +0000
Commit:     Adam Weinberger <adamw@FreeBSD.org>
CommitDate: 2023-10-12 02:38:40 +0000

    www/caddy: Secure the default admin API endpoint
    
    Caddy's default of localhost:2019, particularly combined with the port
    defaulting to root:wheel, can be a significant security risk.
    
    Mitigate this by setting the default to /var/run/caddy/caddy.sock, which
    will be protected by filesystem permissions.  Prior behaviour can be
    restored with 'sysrc caddy_admin=localhost:2019'
    
    Additionally, help users prepare for a change to running Caddy as
    www:www by default using the new security/portacl-rc port in an update
    message, and by extending the comments in the rc script.
---
 www/caddy/Makefile             |  3 ++
 www/caddy/files/caddy.in       | 35 ++++++++++++++++--
 www/caddy/files/pkg-message.in | 80 +++++++++++++++++++++++++++++++++++++++---
 3 files changed, 110 insertions(+), 8 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 78ebc97e544d..cc999d13b787 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -14,6 +14,9 @@ LICENSE_FILE=	${WRKSRC}/LICENSE
 USES=		cpe go:modules
 CPE_VENDOR=	caddyserver
 
+USERS=		www
+GROUPS=		www
+
 USE_RC_SUBR=	caddy
 SUB_FILES=	Caddyfile.sample caddy pkg-message
 
diff --git a/www/caddy/files/caddy.in b/www/caddy/files/caddy.in
index 8e46cd93aae9..37babe7889d3 100644
--- a/www/caddy/files/caddy.in
+++ b/www/caddy/files/caddy.in
@@ -4,14 +4,39 @@
 # REQUIRE: LOGIN DAEMON NETWORKING
 # KEYWORD: shutdown
 
-# To enable caddy, add 'caddy_enable="YES"' to /etc/rc.conf or
-# /etc/rc.conf.local
+# To enable caddy:
+#
+# - Edit %%ETCDIR%%/Caddyfile
+#   See https://caddyserver.com/docs/
+# - Run 'service enable caddy'
+#
+# Note while Caddy currently defaults to running as root:wheel, it is strongly
+# recommended to run the server as an unprivileged user, such as www:www.
+#
+# - Use security/portacl-rc to enable privileged port binding:
+#
+#   # pkg install security/portacl-rc
+#   # sysrc portacl_users+=www
+#   # sysrc portacl_user_www_tcp="http https"
+#   # sysrc portacl_user_www_udp="https"
+#   # service portacl enable
+#   # service portacl start
+#
+# - Configure caddy to run as www:www
+#
+#   # sysrc caddy_user=www caddy_group=www
+#
+# - Note if Caddy has been started as root previously, files in
+#   /var/log/caddy, /var/db/caddy, and /var/run/caddy may require their ownership
+#   changing manually.
 
 # Optional settings:
 # caddy_command (string):     Full path to the caddy binary
 # caddy_config (string):      Full path to caddy config file
 #                             (%%ETCDIR%%/Caddyfile)
 # caddy_adapter (string):     Config adapter type (caddyfile)
+# caddy_admin (string):       Default administration endpoint
+#                             (unix//var/run/caddy/caddy.sock)
 # caddy_directory (string):   Root for caddy storage (ACME certs, etc.)
 #                             (/var/db/caddy)
 # caddy_extra_flags (string): Extra flags passed to caddy start
@@ -40,6 +65,7 @@ load_rc_config $name
 : ${caddy_enable:=NO}
 : ${caddy_adapter:=caddyfile}
 : ${caddy_config:="%%ETCDIR%%/Caddyfile"}
+: ${caddy_admin:="unix//var/run/${name}/${name}.sock"}
 : ${caddy_command:="%%PREFIX%%/bin/${name}"}
 : ${caddy_directory:=/var/db/caddy}
 : ${caddy_extra_flags:=""}
@@ -53,6 +79,9 @@ load_rc_config $name
 : ${XDG_DATA_HOME:="${caddy_directory}/data"}
 export XDG_CONFIG_HOME XDG_DATA_HOME
 
+# Default admin interface
+export CADDY_ADMIN="${caddy_admin}"
+
 command="${caddy_command}"
 pidfile="/var/run/${name}/${name}.pid"
 
@@ -116,7 +145,7 @@ caddy_prestop()
 
     echo -n "Stopping caddy... "
 
-    result="$(caddy_execute stop 2>&1)"
+    result="$(caddy_execute stop ${caddy_flags} 2>&1)"
     if [ ${?} -eq 0 ]; then
         echo "done"
         exit 0
diff --git a/www/caddy/files/pkg-message.in b/www/caddy/files/pkg-message.in
index 661e81dde602..321e6b87bc36 100644
--- a/www/caddy/files/pkg-message.in
+++ b/www/caddy/files/pkg-message.in
@@ -6,22 +6,41 @@ To enable caddy:
 
 - Edit %%ETCDIR%%/Caddyfile
   See https://caddyserver.com/docs/
-- Add caddy_enable="YES" to /etc/rc.conf
+- Run 'service enable caddy'
+
+Note while Caddy currently defaults to running as root:wheel, it is strongly
+recommended to run the server as an unprivileged user, such as www:www --
+
+- Use security/portacl-rc to enable privileged port binding:
+
+  # pkg install security/portacl-rc
+  # sysrc portacl_users+=www
+  # sysrc portacl_user_www_tcp="http https"
+  # sysrc portacl_user_www_udp="https"
+  # service portacl enable
+  # service portacl start
+
+- Configure caddy to run as www:www
+
+  # sysrc caddy_user=www caddy_group=www
+
+- Note if Caddy has been started as root previously, files in
+  /var/log/caddy, /var/db/caddy, and /var/run/caddy may require their ownership
+  changing manually.
 
 %%PREFIX%%/etc/rc.d/caddy has the following defaults:
 
 - Server log: /var/log/caddy/caddy.log
   (runtime messages, NOT an access.log)
 - Automatic SSL certificate storage: /var/db/caddy/data/caddy/
-- Runs as root:wheel (you can run as another user, like www,
-  but caddy will be unable to bind to low-numbered ports,
-  including 80 and 443)
+- Administration endpoint: //unix/var/run/caddy/caddy.sock
+- Runs as root:wheel (this will change to www:www in the future)
 
 INSTALL
 }
 {
   type: upgrade
-  maximum_version: 2.3.0
+  maximum_version: "2.3.0"
   message: <<UPGRADE
 The default locations for caddy runtime files have changed!
 
@@ -36,6 +55,57 @@ The default locations for caddy runtime files have changed!
 
 You can change these defaults. See %%PREFIX%%/etc/rc.d/caddy
 
+UPGRADE
+}
+{
+  type: upgrade
+  maximum_version: "2.7.4_2"
+  message: <<UPGRADE
+The default Caddy administration endpoint location has been changed from
+localhost:2019 to a protected Unix domain socket located in
+/var/run/caddy/caddy.sock
+
+This can be overridden with the `caddy_admin` rc variable, or by specifiying
+an alternative in the Caddyfile `admin` section, documented here:
+
+  https://caddyserver.com/docs/caddyfile/options#admin
+
+The previous default, particularly paired with the server running as root,
+may have serious security implications for shared machines with untrusted
+users.
+
+UPGRADE
+}
+{
+  type: upgrade
+  message: <<UPGRADE
+It is STRONGLY RECOMMENDED to run Caddy as an unprivileged user, such as
+www:www, rather than the current default of root:wheel.
+
+If you have relied upon earlier defaults:
+
+- Use security/portacl-rc to enable privileged port binding:
+
+  # pkg install security/portacl-rc
+  # sysrc portacl_users+=www
+  # sysrc portacl_user_www_tcp="http https"
+  # sysrc portacl_user_www_udp="https"
+  # service portacl enable
+  # service portacl start
+
+- Stop the server, and update ownership on Caddy runtime files:
+
+  # service caddy stop
+  # chown -r www:www /var/db/caddy /var/log/caddy /var/run/caddy
+
+Other changes may be necessary depending on your exact Caddy
+configuration.
+
+- Change the default runtime user, and restart the server:
+
+  # sysrc caddy_user=www caddy_group=www
+  # service caddy start
+
 UPGRADE
 }
 ]