is it safe to run net/haproxy as root?
marko.cupac at mimar.rs
Thu Apr 9 14:27:19 UTC 2015
On Thu, 09 Apr 2015 09:05:19 -0500
Mark Felder <feld at FreeBSD.org> wrote:
> On Thu, Apr 9, 2015, at 08:26, Mark Martinec wrote:
> > Perhaps the haproxy port maintainer can be persuaded to assign
> > some account entry for this purpose.
> This wouldn't be a perfect solution. If you're going to be proxying
> port 80 and 443 you need to initially run as root, but perhaps by
> default in the config file we could drop privs to the haproxy user?
I am now testing proxying http(s) 80 and 443 to apache servers, but
also tcp 3306 to mysql servers. I use separate profiles (which spawn
separate instances if I understand well).
Maybe it would be good to drop http(s) to www user/group, and tcp 3306
to mysql user/group? www user/group comes with default FreeBSD
installation, and I would need to create mysql user/group manually with
same parameters as mysql port creates them (no problem).
Does this sound reasonable?
More information about the freebsd-ports