Bug 254463

Summary: www/caddy: caddy always runs as root
Product: Ports & Packages Reporter: Jonas Rinner <wolfi>
Component: Individual Port(s)Assignee: freebsd-ports-bugs (Nobody) <ports-bugs>
Status: Closed FIXED    
Severity: Affects Many People CC: daniel.tihanyi
Priority: --- Flags: bugzilla: maintainer-feedback? (daniel.tihanyi)
Version: Latest   
Hardware: Any   
OS: Any   

Description Jonas Rinner 2021-03-21 14:33:00 UTC 
While setting up caddy, I noticed that it always runs as root; I think that is not appropriate for a webserver. There is no rc value or anything provided that would allow you to make it drop privileges.

I'm assuming this is because while caddy does provide a daemon mode where it forks to the background, it does not actually have a flag that makes it drop privileges like other webservers do.

As far as I can tell, this would best be solved by running `caddy run` wrapped in a `daemon` instead of directly using the `caddy start` daemon mode. That way a `caddy_user` option can be added to make it run as www instead of root (which should also be the default).

I could contribute this fix if it's deemed appropriate, but I'm not familiar with svn, so I would probably have to wait for the git transition of the ports.
Comment 1 Daniel Tihanyi 2021-03-21 15:03:03 UTC 
Hi,
yes, Caddy runs as root. There is another issue open to update Caddy to 2.3.0, would you may be able to provide a patch there? https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254436
Thanks!
Comment 2 Jonas Rinner 2021-03-21 15:22:26 UTC 
Hi and thanks, I did already see that bug; but just now I realized (well, discovered with help) that a webserver should bind to its privileged ports (80, 443) first and then drop privileges. So this is really an upstream bug that should be reported to caddy. I will go on and report it there.
Comment 3 Jonas Rinner 2021-03-21 16:05:38 UTC 
Update: I've looked into it further and it looks like they gave up on the idea: https://github.com/caddyserver/caddy/issues/528

However it should still be possible for us to run it through daemon; the user will be root by default, and if the admin decides that he doesn't want that, they can use mac_portacl to allow it binding to a privileged port or just use a reverse-proxy in front of it.

I can try providing a patch at bug #254436, but I don't think I can do an svn patch; I'm not familiar enough with that setup. I could provide a git patch if that's an option.
Comment 4 Jonas Rinner 2021-04-01 16:57:36 UTC 
Fixed by ports r569408