While setting up caddy, I noticed that it always runs as root; I think that is not appropriate for a webserver. There is no rc value or anything provided that would allow you to make it drop privileges. I'm assuming this is because while caddy does provide a daemon mode where it forks to the background, it does not actually have a flag that makes it drop privileges like other webservers do. As far as I can tell, this would best be solved by running `caddy run` wrapped in a `daemon` instead of directly using the `caddy start` daemon mode. That way a `caddy_user` option can be added to make it run as www instead of root (which should also be the default). I could contribute this fix if it's deemed appropriate, but I'm not familiar with svn, so I would probably have to wait for the git transition of the ports.
Hi, yes, Caddy runs as root. There is another issue open to update Caddy to 2.3.0, would you may be able to provide a patch there? https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254436 Thanks!
Hi and thanks, I did already see that bug; but just now I realized (well, discovered with help) that a webserver should bind to its privileged ports (80, 443) first and then drop privileges. So this is really an upstream bug that should be reported to caddy. I will go on and report it there.
Update: I've looked into it further and it looks like they gave up on the idea: https://github.com/caddyserver/caddy/issues/528 However it should still be possible for us to run it through daemon; the user will be root by default, and if the admin decides that he doesn't want that, they can use mac_portacl to allow it binding to a privileged port or just use a reverse-proxy in front of it. I can try providing a patch at bug #254436, but I don't think I can do an svn patch; I'm not familiar enough with that setup. I could provide a git patch if that's an option.
Fixed by ports r569408