From nobody Sat Oct 14 02:21:18 2023
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S6nDb32FJz4x83X;
	Sat, 14 Oct 2023 02:21:19 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4S6nDb1j4sz4DNG;
	Sat, 14 Oct 2023 02:21:19 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1697250079;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=ocfK0sauq52F8pkduCVwAIx61a7RwYLVxphwTTuOjx0=;
	b=hPtG1OaqwuczJaW/jbIPLGQ0yi9/D2RbLlw2ZDb0RQz9wEBo3BjmY1QEjOHsLl88sj5NFg
	1/Y6d8T7SNOEmi2w/kT541eb/cbjifdFvyS/G5IqCEHxM/IAiaJ5huJFJId6f59xpokzZH
	78z/HFdVDai1LaLrgR/Txw8WLSdP9wXIFSwzCHfpN/CJES7d50uSR8U1U1mDVk5TSj7wV5
	zTNdtc1F0OxGCTPvPRzvc2Vjc+ymUejSea+/GutvRQKn4AE9h3bxumdUBUABOMQtBO03hz
	S0RNrkRKT57gf0qMl3H700tIPGSQa7bhOG4G2UrJLOWLGaKTNE8l6ozCh8FG8w==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1697250079; a=rsa-sha256; cv=none;
	b=OAHgQWK1OHWxwSBYwcI2RHmwBJ3Uz7kuOSNZdskv4BSCvvIxDj6SkyxtpNgiJEyN5FeIv2
	+DPvVUw47KQBHVxfWMkMfhaKW4FcoOasjxY5/o1tL7Io1uexvsNhEBCTd/ATC+edWQxDhi
	wmUg2U9P5YlypqFwjxWsSHNFuPNe6xNXHcenoDbf4Rbo1Ii2nIkbgE78NvIfL2e/aiuBvD
	ra+JSQ5ftpuYnqSQUNSSWZLKsGqzg72H0BuWoAZbHl9r/45jcUMlMzdZBYIcTYGW9LbTxy
	TbiJ9OUgNJ1sD+ZjF+NgycBfS3I5eUzL4aSHKpZlTUU8jDqkox7ePyPnt2YR4w==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1697250079;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=ocfK0sauq52F8pkduCVwAIx61a7RwYLVxphwTTuOjx0=;
	b=WrhRLj6sl6xaaZE4z4kFudzYFPDlwghySYOPBCO3yJUJqsFY0kLAYcDisjA3GxU8iRjwHz
	f+nQ2g7siDFSaFbI5NaRhL+9xXBnd+IvjNPn3DbqDnM2d5hxU8p65uDCGCbuWqa27YsidY
	xY33UuSkD3z69dYcfEwstzNyt6DGEl54rTVQBXv+l3fd8zvTl3CKb8TXplEln3wrOrz74d
	tUqVzt9dbWQYXqzhisRs6L5U+xA4Uk+ULXfhjohDqPnoF2YnZMdkXF07v7jDVSz+UMU7z9
	IiFXizmW5O+1iRwNYfsET63Jv6jCHXBSq5d6fJTmv7Hdc/s12kbn3UxSBqcndA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4S6nDb0fH1z1CGv;
	Sat, 14 Oct 2023 02:21:19 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 39E2LInO082004;
	Sat, 14 Oct 2023 02:21:18 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 39E2LI50082001;
	Sat, 14 Oct 2023 02:21:18 GMT
	(envelope-from git)
Date: Sat, 14 Oct 2023 02:21:18 GMT
Message-Id: <202310140221.39E2LI50082001@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-branches@FreeBSD.org
From: Adam Weinberger <adamw@FreeBSD.org>
Subject: git: c251243e9d02 - 2023Q4 - www/caddy: Secure the default
  admin API endpoint
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-all@freebsd.org
X-BeenThere: dev-commits-ports-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: adamw
X-Git-Repository: ports
X-Git-Refname: refs/heads/2023Q4
X-Git-Reftype: branch
X-Git-Commit: c251243e9d02594073df488d35c327b351035341
Auto-Submitted: auto-generated

The branch 2023Q4 has been updated by adamw:

URL: https://cgit.FreeBSD.org/ports/commit/?id=c251243e9d02594073df488d35c327b351035341

commit c251243e9d02594073df488d35c327b351035341
Author:     Thomas Hurst <tom@hur.st>
AuthorDate: 2023-10-12 02:32:01 +0000
Commit:     Adam Weinberger <adamw@FreeBSD.org>
CommitDate: 2023-10-14 02:20:23 +0000

    www/caddy: Secure the default admin API endpoint
    
    Caddy's default of localhost:2019, particularly combined with the port
    defaulting to root:wheel, can be a significant security risk.
    
    Mitigate this by setting the default to /var/run/caddy/caddy.sock, which
    will be protected by filesystem permissions.  Prior behaviour can be
    restored with 'sysrc caddy_admin=localhost:2019'
    
    Additionally, help users prepare for a change to running Caddy as
    www:www by default using the new security/portacl-rc port in an update
    message, and by extending the comments in the rc script.
    
    (cherry picked from commit 0c01423b48aa7b63e795601c64af03322a594cae)
---
 www/caddy/Makefile             |  3 ++
 www/caddy/files/caddy.in       | 35 ++++++++++++++++--
 www/caddy/files/pkg-message.in | 80 +++++++++++++++++++++++++++++++++++++++---
 3 files changed, 110 insertions(+), 8 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 78ebc97e544d..cc999d13b787 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -14,6 +14,9 @@ LICENSE_FILE=	${WRKSRC}/LICENSE
 USES=		cpe go:modules
 CPE_VENDOR=	caddyserver
 
+USERS=		www
+GROUPS=		www
+
 USE_RC_SUBR=	caddy
 SUB_FILES=	Caddyfile.sample caddy pkg-message
 
diff --git a/www/caddy/files/caddy.in b/www/caddy/files/caddy.in
index 8e46cd93aae9..37babe7889d3 100644
--- a/www/caddy/files/caddy.in
+++ b/www/caddy/files/caddy.in
@@ -4,14 +4,39 @@
 # REQUIRE: LOGIN DAEMON NETWORKING
 # KEYWORD: shutdown
 
-# To enable caddy, add 'caddy_enable="YES"' to /etc/rc.conf or
-# /etc/rc.conf.local
+# To enable caddy:
+#
+# - Edit %%ETCDIR%%/Caddyfile
+#   See https://caddyserver.com/docs/
+# - Run 'service enable caddy'
+#
+# Note while Caddy currently defaults to running as root:wheel, it is strongly
+# recommended to run the server as an unprivileged user, such as www:www.
+#
+# - Use security/portacl-rc to enable privileged port binding:
+#
+#   # pkg install security/portacl-rc
+#   # sysrc portacl_users+=www
+#   # sysrc portacl_user_www_tcp="http https"
+#   # sysrc portacl_user_www_udp="https"
+#   # service portacl enable
+#   # service portacl start
+#
+# - Configure caddy to run as www:www
+#
+#   # sysrc caddy_user=www caddy_group=www
+#
+# - Note if Caddy has been started as root previously, files in
+#   /var/log/caddy, /var/db/caddy, and /var/run/caddy may require their ownership
+#   changing manually.
 
 # Optional settings:
 # caddy_command (string):     Full path to the caddy binary
 # caddy_config (string):      Full path to caddy config file
 #                             (%%ETCDIR%%/Caddyfile)
 # caddy_adapter (string):     Config adapter type (caddyfile)
+# caddy_admin (string):       Default administration endpoint
+#                             (unix//var/run/caddy/caddy.sock)
 # caddy_directory (string):   Root for caddy storage (ACME certs, etc.)
 #                             (/var/db/caddy)
 # caddy_extra_flags (string): Extra flags passed to caddy start
@@ -40,6 +65,7 @@ load_rc_config $name
 : ${caddy_enable:=NO}
 : ${caddy_adapter:=caddyfile}
 : ${caddy_config:="%%ETCDIR%%/Caddyfile"}
+: ${caddy_admin:="unix//var/run/${name}/${name}.sock"}
 : ${caddy_command:="%%PREFIX%%/bin/${name}"}
 : ${caddy_directory:=/var/db/caddy}
 : ${caddy_extra_flags:=""}
@@ -53,6 +79,9 @@ load_rc_config $name
 : ${XDG_DATA_HOME:="${caddy_directory}/data"}
 export XDG_CONFIG_HOME XDG_DATA_HOME
 
+# Default admin interface
+export CADDY_ADMIN="${caddy_admin}"
+
 command="${caddy_command}"
 pidfile="/var/run/${name}/${name}.pid"
 
@@ -116,7 +145,7 @@ caddy_prestop()
 
     echo -n "Stopping caddy... "
 
-    result="$(caddy_execute stop 2>&1)"
+    result="$(caddy_execute stop ${caddy_flags} 2>&1)"
     if [ ${?} -eq 0 ]; then
         echo "done"
         exit 0
diff --git a/www/caddy/files/pkg-message.in b/www/caddy/files/pkg-message.in
index 661e81dde602..321e6b87bc36 100644
--- a/www/caddy/files/pkg-message.in
+++ b/www/caddy/files/pkg-message.in
@@ -6,22 +6,41 @@ To enable caddy:
 
 - Edit %%ETCDIR%%/Caddyfile
   See https://caddyserver.com/docs/
-- Add caddy_enable="YES" to /etc/rc.conf
+- Run 'service enable caddy'
+
+Note while Caddy currently defaults to running as root:wheel, it is strongly
+recommended to run the server as an unprivileged user, such as www:www --
+
+- Use security/portacl-rc to enable privileged port binding:
+
+  # pkg install security/portacl-rc
+  # sysrc portacl_users+=www
+  # sysrc portacl_user_www_tcp="http https"
+  # sysrc portacl_user_www_udp="https"
+  # service portacl enable
+  # service portacl start
+
+- Configure caddy to run as www:www
+
+  # sysrc caddy_user=www caddy_group=www
+
+- Note if Caddy has been started as root previously, files in
+  /var/log/caddy, /var/db/caddy, and /var/run/caddy may require their ownership
+  changing manually.
 
 %%PREFIX%%/etc/rc.d/caddy has the following defaults:
 
 - Server log: /var/log/caddy/caddy.log
   (runtime messages, NOT an access.log)
 - Automatic SSL certificate storage: /var/db/caddy/data/caddy/
-- Runs as root:wheel (you can run as another user, like www,
-  but caddy will be unable to bind to low-numbered ports,
-  including 80 and 443)
+- Administration endpoint: //unix/var/run/caddy/caddy.sock
+- Runs as root:wheel (this will change to www:www in the future)
 
 INSTALL
 }
 {
   type: upgrade
-  maximum_version: 2.3.0
+  maximum_version: "2.3.0"
   message: <<UPGRADE
 The default locations for caddy runtime files have changed!
 
@@ -36,6 +55,57 @@ The default locations for caddy runtime files have changed!
 
 You can change these defaults. See %%PREFIX%%/etc/rc.d/caddy
 
+UPGRADE
+}
+{
+  type: upgrade
+  maximum_version: "2.7.4_2"
+  message: <<UPGRADE
+The default Caddy administration endpoint location has been changed from
+localhost:2019 to a protected Unix domain socket located in
+/var/run/caddy/caddy.sock
+
+This can be overridden with the `caddy_admin` rc variable, or by specifiying
+an alternative in the Caddyfile `admin` section, documented here:
+
+  https://caddyserver.com/docs/caddyfile/options#admin
+
+The previous default, particularly paired with the server running as root,
+may have serious security implications for shared machines with untrusted
+users.
+
+UPGRADE
+}
+{
+  type: upgrade
+  message: <<UPGRADE
+It is STRONGLY RECOMMENDED to run Caddy as an unprivileged user, such as
+www:www, rather than the current default of root:wheel.
+
+If you have relied upon earlier defaults:
+
+- Use security/portacl-rc to enable privileged port binding:
+
+  # pkg install security/portacl-rc
+  # sysrc portacl_users+=www
+  # sysrc portacl_user_www_tcp="http https"
+  # sysrc portacl_user_www_udp="https"
+  # service portacl enable
+  # service portacl start
+
+- Stop the server, and update ownership on Caddy runtime files:
+
+  # service caddy stop
+  # chown -r www:www /var/db/caddy /var/log/caddy /var/run/caddy
+
+Other changes may be necessary depending on your exact Caddy
+configuration.
+
+- Change the default runtime user, and restart the server:
+
+  # sysrc caddy_user=www caddy_group=www
+  # service caddy start
+
 UPGRADE
 }
 ]