From owner-freebsd-ports@FreeBSD.ORG Thu Apr 9 13:26:40 2015 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 88ED0E96 for ; Thu, 9 Apr 2015 13:26:40 +0000 (UTC) Received: from mail.ijs.si (mail.ijs.si [IPv6:2001:1470:ff80::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 37D7D908 for ; Thu, 9 Apr 2015 13:26:40 +0000 (UTC) Received: from amavis-proxy-ori.ijs.si (localhost [IPv6:::1]) by mail.ijs.si (Postfix) with ESMTP id 3lN3Cb6TRpz1MK for ; Thu, 9 Apr 2015 15:26:35 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ijs.si; h= user-agent:message-id:references:in-reply-to:organization :subject:subject:from:from:date:date:content-transfer-encoding :content-type:content-type:mime-version:received:received :received:received; s=jakla4; t=1428585993; x=1431177994; bh=uUZ W9OguccS0BAzWW7X19fDM7UUWrG5BdgzkiYYmPls=; b=kT9mbpqgkWcCeR45CU+ Zo5/0+k7InpH+G5rJwmkrzl0taeEN4sFWaT+eIk49vaJ0G8jRy5BUrz81YXwtdsq YeJMnGJ3mByR6XNe6cvrZ4BJxUE8e13fjY2nOiApzn4S3fyRe+G2JeU2XfiHX/ry l0jU1//YFZvBlF9xKjSBs7cA= X-Virus-Scanned: amavisd-new at ijs.si Received: from mail.ijs.si ([IPv6:::1]) by amavis-proxy-ori.ijs.si (mail.ijs.si [IPv6:::1]) (amavisd-new, port 10012) with ESMTP id WzbC1OJYNqqf for ; Thu, 9 Apr 2015 15:26:33 +0200 (CEST) Received: from mildred.ijs.si (mailbox.ijs.si [IPv6:2001:1470:ff80::143:1]) by mail.ijs.si (Postfix) with ESMTP for ; Thu, 9 Apr 2015 15:26:33 +0200 (CEST) Received: from neli.ijs.si (neli.ijs.si [IPv6:2001:1470:ff80:88:21c:c0ff:feb1:8c91]) by mildred.ijs.si (Postfix) with ESMTP id 3lN3CY1cWbz5g for ; Thu, 9 Apr 2015 15:26:33 +0200 (CEST) Received: from neli.ijs.si ([2001:1470:ff80:88:21c:c0ff:feb1:8c91]) by neli.ijs.si with HTTP (HTTP/1.1 POST); Thu, 09 Apr 2015 15:26:32 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Date: Thu, 09 Apr 2015 15:26:32 +0200 From: Mark Martinec To: freebsd-ports@freebsd.org Subject: Re: is it safe to run net/haproxy as root? Organization: J. Stefan Institute In-Reply-To: <20150409114426.0081485b@efreet> References: <20150409114426.0081485b@efreet> Message-ID: X-Sender: Mark.Martinec+freebsd@ijs.si User-Agent: Roundcube Webmail/1.1.1 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Apr 2015 13:26:40 -0000 Marko Cupa=C4=87 wrote: > I am setting up haproxy for the first time, and of course my first OS > choice is FreeBSD. >=20 > Most services I am familiar with use their own service accounts which > are created when port is installed (squid, ejabberd, mysql, clamav, > vscan etc.). But haproxy does not create account, and there is no > pkg-message, or any other reference which suggests I should create > separate account, and also whether it needs shell, homedir etc. On the > other hand, most web 'works for me' howtos mention running it under > separate account. >=20 > So, my question is the one from this mail's subject: > Is it safe to run haproxy under root account? If not, what is the best > practice regarding its user account's shell and homedir? Is there a > recommendation for UID/GID? It might be safe, but there is no compelling reason to run it as root, and a common sense advises against it. Even if it needs to bind to a low port number, haproxy is capable of dropping privilege after binding to a socket, and continues running under some other uid/gid, e.g.: /usr/local/etc/haproxy.conf global daemon user www group www [...] Apparently there isn't any standard FreeBSD uid assigned for this purpose. Either make up one, or it may be good enough to re-use one of the existing ones, perhaps the www account. Perhaps the haproxy port maintainer can be persuaded to assign some account entry for this purpose. Mark