[Bug 273181] www/caddy: Do not run as root by default

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 17 Aug 2023 15:03:40 UTC

            Bug ID: 273181
           Summary: www/caddy: Do not run as root by default
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: adamw@FreeBSD.org
          Reporter: tom@hur.st
          Assignee: adamw@FreeBSD.org
             Flags: maintainer-feedback?(adamw@FreeBSD.org)

Created attachment 244172
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=244172&action=edit
Proposed patch to www/caddy

I don't think it's an appropriate default to encourage users to run a webserver
as root:wheel.

This patch changes the default caddy_user and _group to www, and adds
appropriate pkg-message entries to walk the user through configuring
mac_portacl(4) to enable it to bind to ports 80 and 443.

This does break existing installs that have accepted the prior default
user/group configuration without setting the user and group explicitly in
rc.conf.  The upgrade message should be sufficient to walk the user through a
migration, as well as offering sufficient advice as to how to restore the
previous behaviour.

I note at least one port (dns/dnscrypt-proxy2) automates the use of mac_portacl
in its rc script, including loading the module and adding appropriate rules.

While it would be possible to copy this approach, it does appear slightly
fragile in that it will never remove rulesets it adds, so changes in the
configuration could leave stale rules - this seems unwise in a security

Possibly there should be more infrastructure around this to simplify both user
and port-managed mac_portacl rules, but this is another conversation.

You are receiving this mail because:
You are the assignee for the bug.