Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 09 Apr 2015 10:21:02 -0500
From:      Mark Felder <feld@FreeBSD.org>
To:        freebsd-ports@freebsd.org
Subject:   Re: is it safe to run net/haproxy as root?
Message-ID:  <1428592862.2001231.251298669.2B516C1B@webmail.messagingengine.com>
In-Reply-To: <20150409162707.19890da8@efreet>
References:  <20150409114426.0081485b@efreet> <f833db9e029a6efa808e5b00106f1d06@mailbox.ijs.si> <1428588319.1982383.251264557.2FD824BC@webmail.messagingengine.com> <20150409162707.19890da8@efreet>
next in thread | previous in thread | raw e-mail | index | archive | help 


On Thu, Apr 9, 2015, at 09:27, Marko Cupa=C4=87 wrote:
> On Thu, 09 Apr 2015 09:05:19 -0500
> Mark Felder <feld@FreeBSD.org> wrote:
>=20
> >=20
> >=20
> > On Thu, Apr 9, 2015, at 08:26, Mark Martinec wrote:
> > >=20
> > > Perhaps the haproxy port maintainer can be persuaded to assign
> > > some account entry for this purpose.
> > >=20
> >=20
> > This wouldn't be a perfect solution. If you're going to be proxying
> > port 80 and 443 you need to initially run as root, but perhaps by
> > default in the config file we could drop privs to the haproxy user?
>=20
> I am now testing proxying http(s) 80 and 443 to apache servers, but
> also tcp 3306 to mysql servers. I use separate profiles (which spawn
> separate instances if I understand well).
>=20
> Maybe it would be good to drop http(s) to www user/group, and tcp 3306
> to mysql user/group? www user/group comes with default FreeBSD
> installation, and I would need to create mysql user/group manually with
> same parameters as mysql port creates them (no problem).
>=20
> Does this sound reasonable?
>

That seems to be a solid idea for your environment.

I'm working on a patch for the port that introduces an haproxy user and
also installs an example config file with the uid and gid already set as
well as chroot being enabled by default.

That should alleviate the issue for new installations.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D199314

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1428592862.2001231.251298669.2B516C1B>