On Mon, Mar 27, 2017 at 01:14:26AM -0700, Ankit Malp wrote: > >If you want to fix it, simply remove "LSTCHK_NETADM" in proto_tcp.c, > >function bind_parse_interface(). > Awesome thanks a lot! This fix works :)
Thanks for the feedback. > I would like to contribute this > back, but like you mentioned there might be other places where a similar > change is needed in which case someone else will be better skilled to fix > this in a more generic manner. You're welcome to make the patch yourself and to write a proper commit message (please check CONTRIBUTING and just run "git log" on the file), you'll save me some time. There's no need to touch other places for now and we'd rather avoid risking to add trouble where people don't have problems :-) For the long term we might have a different flag for early permission checks, but as I mentionned, anyway if you don't have the permissions to bind you'll easily get a "permission denied" from the system upon startup, which is quite explicit. > >I suspect that most people don't get this simply because the setups where > >they bind to multiple interfaces are the same where they also bind to > >interfaces for outgoing connections or they're running in transparent > >mode, both of which require runtime privileges as well. > Is it common to run HAProxy as root (with chroot jail) No it's not common. In fact it's more common for those using it mixed with another function (like a firewall) placed in cut-through, because they often need to bind to foreign IP addresses, otherwise it's preferred to avoid it. > I was unsure, > because I dont fully understand the worst case scenario which could be > exploited in case of future CVE, when running as root? That's exactly the reason why it's strongly recommended not to run it as root. We've never had a case of remote code execution yet but it will probably happen (as it did for every other project), and the day it happens, you'd rather have a sanely isolated process. That's why we recommend to start it as root so that it can chroot, and then drop privileges to a dedicated user. This way it becomes totally isolated and cannot interact at all with any other process on the system. Willy
