Date: Thu, 09 Apr 2015 10:21:02 -0500 From: Mark Felder <feld@FreeBSD.org> To: freebsd-ports@freebsd.org Subject: Re: is it safe to run net/haproxy as root? Message-ID: <1428592862.2001231.251298669.2B516C1B@webmail.messagingengine.com> In-Reply-To: <20150409162707.19890da8@efreet> References: <20150409114426.0081485b@efreet> <f833db9e029a6efa808e5b00106f1d06@mailbox.ijs.si> <1428588319.1982383.251264557.2FD824BC@webmail.messagingengine.com> <20150409162707.19890da8@efreet>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Apr 9, 2015, at 09:27, Marko Cupa=C4=87 wrote: > On Thu, 09 Apr 2015 09:05:19 -0500 > Mark Felder <feld@FreeBSD.org> wrote: >=20 > >=20 > >=20 > > On Thu, Apr 9, 2015, at 08:26, Mark Martinec wrote: > > >=20 > > > Perhaps the haproxy port maintainer can be persuaded to assign > > > some account entry for this purpose. > > >=20 > >=20 > > This wouldn't be a perfect solution. If you're going to be proxying > > port 80 and 443 you need to initially run as root, but perhaps by > > default in the config file we could drop privs to the haproxy user? >=20 > I am now testing proxying http(s) 80 and 443 to apache servers, but > also tcp 3306 to mysql servers. I use separate profiles (which spawn > separate instances if I understand well). >=20 > Maybe it would be good to drop http(s) to www user/group, and tcp 3306 > to mysql user/group? www user/group comes with default FreeBSD > installation, and I would need to create mysql user/group manually with > same parameters as mysql port creates them (no problem). >=20 > Does this sound reasonable? > That seems to be a solid idea for your environment. I'm working on a patch for the port that introduces an haproxy user and also installs an example config file with the uid and gid already set as well as chroot being enabled by default. That should alleviate the issue for new installations. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D199314
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1428592862.2001231.251298669.2B516C1B>