FreeBSD Bugzilla – Attachment 244172 Details for
Bug 273181
www/caddy: Do not run as root by default
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Proposed patch to www/caddy
patch-www-caddy-2.7.3_1 (text/plain), 4.04 KB, created by
Thomas Hurst
on 2023-08-17 15:03:40 UTC
(
hide
)
Description:
Proposed patch to www/caddy
Filename:
MIME Type:
Creator:
Thomas Hurst
Created:
2023-08-17 15:03:40 UTC
Size:
4.04 KB
patch
obsolete
>diff --git www/caddy/Makefile www/caddy/Makefile >index 8fc86707fc1f..522f742d6909 100644 >--- www/caddy/Makefile >+++ www/caddy/Makefile >@@ -1,6 +1,7 @@ > PORTNAME= caddy > DISTVERSIONPREFIX= v > DISTVERSION= 2.7.3 >+PORTREVISION= 1 > CATEGORIES= www > DIST_SUBDIR= caddy > >@@ -17,6 +18,9 @@ CPE_VENDOR= caddyserver > USE_RC_SUBR= caddy > SUB_FILES= Caddyfile.sample caddy pkg-message > >+USERS= www >+GROUPS= www >+ > CONFLICTS_INSTALL= caddy-custom > > PLIST_FILES= bin/${PORTNAME} \ >diff --git www/caddy/files/caddy.in www/caddy/files/caddy.in >index 17724715ae5c..8b7d96d82c08 100644 >--- www/caddy/files/caddy.in >+++ www/caddy/files/caddy.in >@@ -6,6 +6,15 @@ > > # To enable caddy, add 'caddy_enable="YES"' to /etc/rc.conf or > # /etc/rc.conf.local >+# >+# To enable running as www:www, add 'mac_portacl_load="YES"' to >+# /boot/loader.conf and the following lines to /etc/sysctl.conf: >+# >+# # Delegate reserved port handling to mac_portacl >+# net.inet.ip.portrange.reservedhigh=0 >+# >+# # Enable uid 80 to listen on ports 80 and 443 >+# security.mac.portacl.rules="uid:80:tcp:80,uid:80:tcp:443" > > # Optional settings: > # caddy_command (string): Full path to the caddy binary >@@ -21,8 +30,8 @@ > # This is for startup/shutdown/error messages. > # To create an access log, see: > # https://caddyserver.com/docs/caddyfile/directives/log >-# caddy_user (user): User to run caddy (root) >-# caddy_group (group): Group to run caddy (wheel) >+# caddy_user (user): User to run caddy (www) >+# caddy_group (group): Group to run caddy (www) > # > # This script will honor XDG_CONFIG_HOME/XDG_DATA_HOME. Caddy will create a > # .../caddy subdir in each of those. By default, they are subdirs of /var/db/caddy. >@@ -45,8 +54,8 @@ load_rc_config $name > : ${caddy_extra_flags:=""} > : ${caddy_logdir:="/var/log/${name}"} > : ${caddy_logfile:="${caddy_logdir}/${name}.log"} >-: ${caddy_user:="root"} >-: ${caddy_group:="wheel"} >+: ${caddy_user:="www"} >+: ${caddy_group:="www"} > > # Config and base directories > : ${XDG_CONFIG_HOME:="${caddy_directory}/config"} >diff --git www/caddy/files/pkg-message.in www/caddy/files/pkg-message.in >index 661e81dde602..2526b0cda3ce 100644 >--- www/caddy/files/pkg-message.in >+++ www/caddy/files/pkg-message.in >@@ -6,16 +6,21 @@ To enable caddy: > > - Edit %%ETCDIR%%/Caddyfile > See https://caddyserver.com/docs/ >-- Add caddy_enable="YES" to /etc/rc.conf >+- Add mac_portacl_load="YES" to /boot/loader.conf >+- Run 'kldload mac_portacl' >+- To /etc/sysctl.conf add: >+ net.inet.ip.portrange.reservedhigh=0 >+ security.mac.portacl.rules="uid:80:tcp:80,uid:80:tcp:443" >+- Run 'service sysctl reload' >+- Run 'sysrc caddy_enable="YES"' > > %%PREFIX%%/etc/rc.d/caddy has the following defaults: > > - Server log: /var/log/caddy/caddy.log > (runtime messages, NOT an access.log) > - Automatic SSL certificate storage: /var/db/caddy/data/caddy/ >-- Runs as root:wheel (you can run as another user, like www, >- but caddy will be unable to bind to low-numbered ports, >- including 80 and 443) >+- Runs as www:www (requires mac_portacl(4) to allow caddy to bind to >+ privileged ports 80 and 443) > > INSTALL > } >@@ -36,6 +41,38 @@ The default locations for caddy runtime files have changed! > > You can change these defaults. See %%PREFIX%%/etc/rc.d/caddy > >+UPGRADE >+} >+{ >+ type: upgrade >+ maximum_version: 2.7.3_1 >+ message: <<UPGRADE >+Caddy now runs as www:www by default instead of root:wheel >+ >+To enable caddy to continue to bind to port 80 and 443, it is >+recommended to use mac_portacl(4): >+ >+- Add mac_portacl_load="YES" to /boot/loader.conf >+ >+- Run 'kldload mac_portacl' >+ >+- To /etc/sysctl.conf add: >+ >+ net.inet.ip.portrange.reservedhigh=0 >+ security.mac.portacl.rules="uid:80:tcp:80,uid:80:tcp:443" >+ >+- Run 'service sysctl reload' >+ >+- Alter ownership on caddy runtime files: >+ >+ chown -r www:www /var/db/caddy /var/log/caddy /var/run/caddy >+ >+Other changes may be necessary depending on your exact caddy >+configuration. >+ >+To continue running caddy as root, set caddy_user and caddy_group in >+/etc/rc.conf >+ > UPGRADE > } > ]
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=244172">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 273181
:
244172
|
244812