Bug 254463 - www/caddy: caddy always runs as root
Summary: www/caddy: caddy always runs as root
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-ports-bugs (Nobody)
Depends on:
Reported: 2021-03-21 14:33 UTC by Jonas Rinner
Modified: 2021-04-01 16:57 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (daniel.tihanyi)


Note You need to log in before you can comment on or make changes to this bug.
Description Jonas Rinner 2021-03-21 14:33:00 UTC
While setting up caddy, I noticed that it always runs as root; I think that is not appropriate for a webserver. There is no rc value or anything provided that would allow you to make it drop privileges.

I'm assuming this is because while caddy does provide a daemon mode where it forks to the background, it does not actually have a flag that makes it drop privileges like other webservers do.

As far as I can tell, this would best be solved by running `caddy run` wrapped in a `daemon` instead of directly using the `caddy start` daemon mode. That way a `caddy_user` option can be added to make it run as www instead of root (which should also be the default).

I could contribute this fix if it's deemed appropriate, but I'm not familiar with svn, so I would probably have to wait for the git transition of the ports.
Comment 1 Daniel Tihanyi 2021-03-21 15:03:03 UTC
yes, Caddy runs as root. There is another issue open to update Caddy to 2.3.0, would you may be able to provide a patch there? https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254436
Comment 2 Jonas Rinner 2021-03-21 15:22:26 UTC
Hi and thanks, I did already see that bug; but just now I realized (well, discovered with help) that a webserver should bind to its privileged ports (80, 443) first and then drop privileges. So this is really an upstream bug that should be reported to caddy. I will go on and report it there.
Comment 3 Jonas Rinner 2021-03-21 16:05:38 UTC
Update: I've looked into it further and it looks like they gave up on the idea: https://github.com/caddyserver/caddy/issues/528

However it should still be possible for us to run it through daemon; the user will be root by default, and if the admin decides that he doesn't want that, they can use mac_portacl to allow it binding to a privileged port or just use a reverse-proxy in front of it.

I can try providing a patch at bug #254436, but I don't think I can do an svn patch; I'm not familiar enough with that setup. I could provide a git patch if that's an option.
Comment 4 Jonas Rinner 2021-04-01 16:57:36 UTC
Fixed by ports r569408