From owner-freebsd-ports@FreeBSD.ORG  Thu Apr  9 14:05:27 2015
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id C087775B
 for <freebsd-ports@freebsd.org>; Thu,  9 Apr 2015 14:05:27 +0000 (UTC)
Received: from new2-smtp.messagingengine.com (new2-smtp.messagingengine.com
 [66.111.4.224])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 901A0D61
 for <freebsd-ports@freebsd.org>; Thu,  9 Apr 2015 14:05:27 +0000 (UTC)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46])
 by mailnew.nyi.internal (Postfix) with ESMTP id D0D181458
 for <freebsd-ports@freebsd.org>; Thu,  9 Apr 2015 10:05:15 -0400 (EDT)
Received: from web3 ([10.202.2.213])
 by compute6.internal (MEProxy); Thu, 09 Apr 2015 10:05:19 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
 messagingengine.com; h=content-transfer-encoding:content-type
 :date:from:in-reply-to:message-id:mime-version:references
 :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=uG7ZBTDQ6zJ1Drr
 xqDfKjAx1yvk=; b=X5OEgeW0WMWKa410IMWI/QacyYkd2FwcnET6iuLCUX+HwCE
 uYeF/05H6NaxGq0sXX5N5/RMbpCp2kddsf6Vmgpv9CHVSo7Ac5xCcQffRY33zoDj
 oSCHvVrtp8/PCoxXbLRfTgs/6Mg7uDxbAIuFTdf6Ac3MHjySp1kurd2arg+k=
Received: by web3.nyi.internal (Postfix, from userid 99)
 id 94E40112FC1; Thu,  9 Apr 2015 10:05:19 -0400 (EDT)
Message-Id: <1428588319.1982383.251264557.2FD824BC@webmail.messagingengine.com>
X-Sasl-Enc: YidrFO/vUTAkCsr62PECCKd/qQuQQPFDajS3RM4zHIau 1428588319
From: Mark Felder <feld@FreeBSD.org>
To: freebsd-ports@freebsd.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain
X-Mailer: MessagingEngine.com Webmail Interface - ajax-0b3c2300
In-Reply-To: <f833db9e029a6efa808e5b00106f1d06@mailbox.ijs.si>
References: <20150409114426.0081485b@efreet>
 <f833db9e029a6efa808e5b00106f1d06@mailbox.ijs.si>
Subject: Re: is it safe to run net/haproxy as root?
Date: Thu, 09 Apr 2015 09:05:19 -0500
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Apr 2015 14:05:27 -0000



On Thu, Apr 9, 2015, at 08:26, Mark Martinec wrote:
> 
> Perhaps the haproxy port maintainer can be persuaded to assign
> some account entry for this purpose.
> 

This wouldn't be a perfect solution. If you're going to be proxying port
80 and 443 you need to initially run as root, but perhaps by default in
the config file we could drop privs to the haproxy user?

Sounds like we need some better documentation on best practices, too.