[Bug 273181] www/caddy: Do not run as root by default
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 17 Aug 2023 15:03:40 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273181
Bug ID: 273181
Summary: www/caddy: Do not run as root by default
Product: Ports & Packages
Version: Latest
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: Individual Port(s)
Assignee: adamw@FreeBSD.org
Reporter: tom@hur.st
Assignee: adamw@FreeBSD.org
Flags: maintainer-feedback?(adamw@FreeBSD.org)
Created attachment 244172
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=244172&action=edit
Proposed patch to www/caddy
I don't think it's an appropriate default to encourage users to run a webserver
as root:wheel.
This patch changes the default caddy_user and _group to www, and adds
appropriate pkg-message entries to walk the user through configuring
mac_portacl(4) to enable it to bind to ports 80 and 443.
This does break existing installs that have accepted the prior default
user/group configuration without setting the user and group explicitly in
rc.conf. The upgrade message should be sufficient to walk the user through a
migration, as well as offering sufficient advice as to how to restore the
previous behaviour.
I note at least one port (dns/dnscrypt-proxy2) automates the use of mac_portacl
in its rc script, including loading the module and adding appropriate rules.
While it would be possible to copy this approach, it does appear slightly
fragile in that it will never remove rulesets it adds, so changes in the
configuration could leave stale rules - this seems unwise in a security
context.
Possibly there should be more infrastructure around this to simplify both user
and port-managed mac_portacl rules, but this is another conversation.
--
You are receiving this mail because:
You are the assignee for the bug.