Date: Thu, 17 Aug 2023 15:03:40 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 273181] www/caddy: Do not run as root by default Message-ID: <bug-273181-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D273181 Bug ID: 273181 Summary: www/caddy: Do not run as root by default Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: adamw@FreeBSD.org Reporter: tom@hur.st Assignee: adamw@FreeBSD.org Flags: maintainer-feedback?(adamw@FreeBSD.org) Created attachment 244172 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D244172&action= =3Dedit Proposed patch to www/caddy I don't think it's an appropriate default to encourage users to run a webse= rver as root:wheel. This patch changes the default caddy_user and _group to www, and adds appropriate pkg-message entries to walk the user through configuring mac_portacl(4) to enable it to bind to ports 80 and 443. This does break existing installs that have accepted the prior default user/group configuration without setting the user and group explicitly in rc.conf. The upgrade message should be sufficient to walk the user through= a migration, as well as offering sufficient advice as to how to restore the previous behaviour. I note at least one port (dns/dnscrypt-proxy2) automates the use of mac_por= tacl in its rc script, including loading the module and adding appropriate rules. While it would be possible to copy this approach, it does appear slightly fragile in that it will never remove rulesets it adds, so changes in the configuration could leave stale rules - this seems unwise in a security context. Possibly there should be more infrastructure around this to simplify both u= ser and port-managed mac_portacl rules, but this is another conversation. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-273181-7788>