FreeBSD Bugzilla – Attachment 244812 Details for
Bug 273181
www/caddy: Do not run as root by default
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Proposed patch to www/caddy, redux
0001-www-caddy-Secure-the-default-admin-API-endpoint.patch (text/plain), 7.54 KB, created by
Thomas Hurst
on 2023-09-13 16:02:18 UTC
(
hide
)
Description:
Proposed patch to www/caddy, redux
Filename:
MIME Type:
Creator:
Thomas Hurst
Created:
2023-09-13 16:02:18 UTC
Size:
7.54 KB
patch
obsolete
>From 4172c7fbc4bfa037b86a7ff1427025594d04bce4 Mon Sep 17 00:00:00 2001 >From: Thomas Hurst <tom@hur.st> >Date: Wed, 13 Sep 2023 15:51:43 +0000 >Subject: [PATCH] www/caddy: Secure the default admin API endpoint > >Caddy's default of localhost:2019, particularly combined with the port >defaulting to root:wheel, can be a significant security risk. > >Mitigate this by setting the default to /var/run/caddy/caddy.sock, which >will be protected by filesystem permissions. Prior behaviour can be >restored with 'sysrc caddy_admin=localhost:2019' > >Additionally, help users prepare for a change to running Caddy as >www:www by default using the new security/portacl-rc port in an update >message, and by extending the comments in the rc script. >--- > www/caddy/Makefile | 5 ++- > www/caddy/files/caddy.in | 41 ++++++++++++++--- > www/caddy/files/pkg-message.in | 80 +++++++++++++++++++++++++++++++--- > 3 files changed, 114 insertions(+), 12 deletions(-) > >diff --git a/www/caddy/Makefile b/www/caddy/Makefile >index e0a046307c56..3b4834d923f9 100644 >--- a/www/caddy/Makefile >+++ b/www/caddy/Makefile >@@ -1,7 +1,7 @@ > PORTNAME= caddy > DISTVERSIONPREFIX= v > DISTVERSION= 2.7.4 >-PORTREVISION= 1 >+PORTREVISION= 2 > CATEGORIES= www > DIST_SUBDIR= caddy > >@@ -31,6 +31,9 @@ GO_MODULE= github.com/caddyserver/caddy/v2 > # If modules must be specified manually: > #.include "${.CURDIR}/modules.mk" > >+USERS= www >+GROUPS= www >+ > post-install: > ${MKDIR} ${STAGEDIR}${ETCDIR} > ${INSTALL_DATA} ${WRKDIR}/Caddyfile.sample ${STAGEDIR}${ETCDIR} >diff --git a/www/caddy/files/caddy.in b/www/caddy/files/caddy.in >index 17724715ae5c..02c678b865d2 100644 >--- a/www/caddy/files/caddy.in >+++ b/www/caddy/files/caddy.in >@@ -4,14 +4,39 @@ > # REQUIRE: LOGIN DAEMON NETWORKING > # KEYWORD: shutdown > >-# To enable caddy, add 'caddy_enable="YES"' to /etc/rc.conf or >-# /etc/rc.conf.local >+# To enable caddy: >+# >+# - Edit %%ETCDIR%%/Caddyfile >+# See https://caddyserver.com/docs/ >+# - Run 'service enable caddy' >+# >+# Note while Caddy currently defaults to running as root:wheel, it is strongly >+# recommended to run the server as an unprivileged user, such as www:www -- >+# >+# - Use security/portacl-rc to enable privileged port binding: >+# >+# # pkg install security/portacl-rc >+# # sysrc portacl_users+=www >+# # sysrc portacl_user_www_tcp="http https" >+# # sysrc portacl_user_www_udp="https" >+# # service portacl enable >+# # service portacl start >+# >+# - Configure caddy to run as www:www >+# >+# # sysrc caddy_user=www caddy_group=www >+# >+# - Note if Caddy has been started as root previously, files in >+# /var/log/caddy, /var/db/caddy, and /var/run/caddy may require their ownership >+# changing manually. > > # Optional settings: > # caddy_command (string): Full path to the caddy binary > # caddy_config (string): Full path to caddy config file > # (%%ETCDIR%%/Caddyfile) > # caddy_adapter (string): Config adapter type (caddyfile) >+# caddy_admin (string): Default administration endpoint >+# (unix//var/run/caddy/caddy.sock) > # caddy_directory (string): Root for caddy storage (ACME certs, etc.) > # (/var/db/caddy) > # caddy_extra_flags (string): Extra flags passed to caddy start >@@ -37,11 +62,12 @@ desc="Powerful, enterprise-ready, open source web server with automatic HTTPS wr > load_rc_config $name > > # Defaults >-: ${caddy_enable:=NO} >-: ${caddy_adapter:=caddyfile} >+: ${caddy_enable:="NO"} >+: ${caddy_adapter:="caddyfile"} > : ${caddy_config:="%%ETCDIR%%/Caddyfile"} >+: ${caddy_admin:="unix//var/run/${name}/${name}.sock"} > : ${caddy_command:="%%PREFIX%%/bin/${name}"} >-: ${caddy_directory:=/var/db/caddy} >+: ${caddy_directory:="/var/db/caddy"} > : ${caddy_extra_flags:=""} > : ${caddy_logdir:="/var/log/${name}"} > : ${caddy_logfile:="${caddy_logdir}/${name}.log"} >@@ -53,6 +79,9 @@ load_rc_config $name > : ${XDG_DATA_HOME:="${caddy_directory}/data"} > export XDG_CONFIG_HOME XDG_DATA_HOME > >+# Default admin interface >+export CADDY_ADMIN="${caddy_admin}" >+ > command="${caddy_command}" > pidfile="/var/run/${name}/${name}.pid" > >@@ -115,7 +144,7 @@ caddy_prestop() > > echo -n "Stopping caddy... " > >- result="$(caddy_execute stop 2>&1)" >+ result="$(caddy_execute stop ${caddy_flags} 2>&1)" > if [ ${?} -eq 0 ]; then > echo "done" > exit 0 >diff --git a/www/caddy/files/pkg-message.in b/www/caddy/files/pkg-message.in >index 661e81dde602..321e6b87bc36 100644 >--- a/www/caddy/files/pkg-message.in >+++ b/www/caddy/files/pkg-message.in >@@ -6,22 +6,41 @@ To enable caddy: > > - Edit %%ETCDIR%%/Caddyfile > See https://caddyserver.com/docs/ >-- Add caddy_enable="YES" to /etc/rc.conf >+- Run 'service enable caddy' >+ >+Note while Caddy currently defaults to running as root:wheel, it is strongly >+recommended to run the server as an unprivileged user, such as www:www -- >+ >+- Use security/portacl-rc to enable privileged port binding: >+ >+ # pkg install security/portacl-rc >+ # sysrc portacl_users+=www >+ # sysrc portacl_user_www_tcp="http https" >+ # sysrc portacl_user_www_udp="https" >+ # service portacl enable >+ # service portacl start >+ >+- Configure caddy to run as www:www >+ >+ # sysrc caddy_user=www caddy_group=www >+ >+- Note if Caddy has been started as root previously, files in >+ /var/log/caddy, /var/db/caddy, and /var/run/caddy may require their ownership >+ changing manually. > > %%PREFIX%%/etc/rc.d/caddy has the following defaults: > > - Server log: /var/log/caddy/caddy.log > (runtime messages, NOT an access.log) > - Automatic SSL certificate storage: /var/db/caddy/data/caddy/ >-- Runs as root:wheel (you can run as another user, like www, >- but caddy will be unable to bind to low-numbered ports, >- including 80 and 443) >+- Administration endpoint: //unix/var/run/caddy/caddy.sock >+- Runs as root:wheel (this will change to www:www in the future) > > INSTALL > } > { > type: upgrade >- maximum_version: 2.3.0 >+ maximum_version: "2.3.0" > message: <<UPGRADE > The default locations for caddy runtime files have changed! > >@@ -36,6 +55,57 @@ The default locations for caddy runtime files have changed! > > You can change these defaults. See %%PREFIX%%/etc/rc.d/caddy > >+UPGRADE >+} >+{ >+ type: upgrade >+ maximum_version: "2.7.4_2" >+ message: <<UPGRADE >+The default Caddy administration endpoint location has been changed from >+localhost:2019 to a protected Unix domain socket located in >+/var/run/caddy/caddy.sock >+ >+This can be overridden with the `caddy_admin` rc variable, or by specifiying >+an alternative in the Caddyfile `admin` section, documented here: >+ >+ https://caddyserver.com/docs/caddyfile/options#admin >+ >+The previous default, particularly paired with the server running as root, >+may have serious security implications for shared machines with untrusted >+users. >+ >+UPGRADE >+} >+{ >+ type: upgrade >+ message: <<UPGRADE >+It is STRONGLY RECOMMENDED to run Caddy as an unprivileged user, such as >+www:www, rather than the current default of root:wheel. >+ >+If you have relied upon earlier defaults: >+ >+- Use security/portacl-rc to enable privileged port binding: >+ >+ # pkg install security/portacl-rc >+ # sysrc portacl_users+=www >+ # sysrc portacl_user_www_tcp="http https" >+ # sysrc portacl_user_www_udp="https" >+ # service portacl enable >+ # service portacl start >+ >+- Stop the server, and update ownership on Caddy runtime files: >+ >+ # service caddy stop >+ # chown -r www:www /var/db/caddy /var/log/caddy /var/run/caddy >+ >+Other changes may be necessary depending on your exact Caddy >+configuration. >+ >+- Change the default runtime user, and restart the server: >+ >+ # sysrc caddy_user=www caddy_group=www >+ # service caddy start >+ > UPGRADE > } > ] >-- >2.42.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Flags:
tom
:
maintainer-approval?
Actions:
View
|
Diff
Attachments on
bug 273181
:
244172
| 244812