Date: Thu, 09 Apr 2015 15:20:51 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 199314] net/haproxy: create haproxy user, install sample config Message-ID: <bug-199314-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=199314 Bug ID: 199314 Summary: net/haproxy: create haproxy user, install sample config Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: demon@FreeBSD.org Reporter: feld@FreeBSD.org Flags: maintainer-feedback?(demon@FreeBSD.org) Assignee: demon@FreeBSD.org Created attachment 155368 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=155368&action=edit haproxy port patch Hello, This patch installs a sample config from the EXAMPLES dir already modified to use a new haproxy uid and gid. It also has chroot enabled to the /var/empty directory which should be sufficient. This should help alleviate damage from a future haproxy exploit as haproxy would not be running as root. Unfortunately we cannot just force haproxy to always run as root via the rc script as haproxy may need to listen on reserved ports (<1024) to proxy 80, 443, etc. It would be wise to encourage users in pkg-message to update their configurations to use the haproxy user, but I have not composed such a message. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-199314-13>