Re: is it safe to run net/haproxy as root?
On Thu, Apr 9, 2015, at 08:26, Mark Martinec wrote: Perhaps the haproxy port maintainer can be persuaded to assign some account entry for this purpose. This wouldn't be a perfect solution. If you're going to be proxying port 80 and 443 you need to initially run as root, but perhaps by default in the config file we could drop privs to the haproxy user? Sounds like we need some better documentation on best practices, too. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
is it safe to run net/haproxy as root?
Hi, I am setting up haproxy for the first time, and of course my first OS choice is FreeBSD. Most services I am familiar with use their own service accounts which are created when port is installed (squid, ejabberd, mysql, clamav, vscan etc.). But haproxy does not create account, and there is no pkg-message, or any other reference which suggests I should create separate account, and also whether it needs shell, homedir etc. On the other hand, most web 'works for me' howtos mention running it under separate account. So, my question is the one from this mail's subject: Is it safe to run haproxy under root account? If not, what is the best practice regarding its user account's shell and homedir? Is there a recommendation for UID/GID? Thank you in advance, -- Marko Cupać https://www.mimar.rs ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: is it safe to run net/haproxy as root?
On Thu, 09 Apr 2015 09:05:19 -0500 Mark Felder f...@freebsd.org wrote: On Thu, Apr 9, 2015, at 08:26, Mark Martinec wrote: Perhaps the haproxy port maintainer can be persuaded to assign some account entry for this purpose. This wouldn't be a perfect solution. If you're going to be proxying port 80 and 443 you need to initially run as root, but perhaps by default in the config file we could drop privs to the haproxy user? I am now testing proxying http(s) 80 and 443 to apache servers, but also tcp 3306 to mysql servers. I use separate profiles (which spawn separate instances if I understand well). Maybe it would be good to drop http(s) to www user/group, and tcp 3306 to mysql user/group? www user/group comes with default FreeBSD installation, and I would need to create mysql user/group manually with same parameters as mysql port creates them (no problem). Does this sound reasonable? -- Marko Cupać https://www.mimar.rs ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: is it safe to run net/haproxy as root?
On Thu, Apr 9, 2015, at 09:27, Marko Cupać wrote: On Thu, 09 Apr 2015 09:05:19 -0500 Mark Felder f...@freebsd.org wrote: On Thu, Apr 9, 2015, at 08:26, Mark Martinec wrote: Perhaps the haproxy port maintainer can be persuaded to assign some account entry for this purpose. This wouldn't be a perfect solution. If you're going to be proxying port 80 and 443 you need to initially run as root, but perhaps by default in the config file we could drop privs to the haproxy user? I am now testing proxying http(s) 80 and 443 to apache servers, but also tcp 3306 to mysql servers. I use separate profiles (which spawn separate instances if I understand well). Maybe it would be good to drop http(s) to www user/group, and tcp 3306 to mysql user/group? www user/group comes with default FreeBSD installation, and I would need to create mysql user/group manually with same parameters as mysql port creates them (no problem). Does this sound reasonable? That seems to be a solid idea for your environment. I'm working on a patch for the port that introduces an haproxy user and also installs an example config file with the uid and gid already set as well as chroot being enabled by default. That should alleviate the issue for new installations. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=199314 ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: is it safe to run net/haproxy as root?
Marko Cupać wrote: I am setting up haproxy for the first time, and of course my first OS choice is FreeBSD. Most services I am familiar with use their own service accounts which are created when port is installed (squid, ejabberd, mysql, clamav, vscan etc.). But haproxy does not create account, and there is no pkg-message, or any other reference which suggests I should create separate account, and also whether it needs shell, homedir etc. On the other hand, most web 'works for me' howtos mention running it under separate account. So, my question is the one from this mail's subject: Is it safe to run haproxy under root account? If not, what is the best practice regarding its user account's shell and homedir? Is there a recommendation for UID/GID? It might be safe, but there is no compelling reason to run it as root, and a common sense advises against it. Even if it needs to bind to a low port number, haproxy is capable of dropping privilege after binding to a socket, and continues running under some other uid/gid, e.g.: /usr/local/etc/haproxy.conf global daemon user www group www [...] Apparently there isn't any standard FreeBSD uid assigned for this purpose. Either make up one, or it may be good enough to re-use one of the existing ones, perhaps the www account. Perhaps the haproxy port maintainer can be persuaded to assign some account entry for this purpose. Mark ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
