Bug 287347 - security/headscale: Allow running as non-root user
Summary: security/headscale: Allow running as non-root user
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-ports-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-06-06 21:39 UTC by Stephan Lohse
Modified: 2025-06-06 21:39 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (m.muenz)

Attachments
Patch for headscale rc.d script (1.51 KB, patch)
2025-06-06 21:39 UTC, Stephan Lohse 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stephan Lohse 2025-06-06 21:39:25 UTC 
Created attachment 261047 [details]
Patch for headscale rc.d script

Hi!

The headscale documentation (https://headscale.net/stable/setup/requirements/) suggests running headscale as a dedicated user.

However, in its current state, the rc.d script for headscale doesn't allow for changing the ${name}_user variable as defined in rc.subr(8). If one tried that, the service would start, but not as the user set in $headscale_user. And worse, when running `service headscale stop`, the service would not be stopped. The reason is that while a custom start_cmd is defined, a custom stop_cmd is not defined, and so the standard stop routine tries to kill the process as $headscale_user. This fails of course, because the process is owned by root.

I looked around a bit in other rc.d scripts (www/grafana, to name just one example of many) and it seems a common pattern is to set command="/usr/sbin/daemon" and command_args with all the arguments that headscale currently sets in start_cmd.

This patch copies that pattern and thus enables running headscale as a user other than root.

Doing that does require changing the settings for noise.private_key_path, derp.server.private_key_path, database.sqlite.path and tls_letsencrypt_cache_dir in the headscale config file to paths that the headscale user can write to. I don't know if that should be documented somehow, or if one should hope that people that do run headscale as non-root can figure that out on their own (the error messages are helpful here).

This is my first patch to FreeBSD ports, feel free to yell at me if I did it wrong :)

-Stephan