is it safe to run net/haproxy as root?

Mark Felder feld at FreeBSD.org
Thu Apr 9 15:21:03 UTC 2015



On Thu, Apr 9, 2015, at 09:27, Marko Cupać wrote:
> On Thu, 09 Apr 2015 09:05:19 -0500
> Mark Felder <feld at FreeBSD.org> wrote:
> 
> > 
> > 
> > On Thu, Apr 9, 2015, at 08:26, Mark Martinec wrote:
> > > 
> > > Perhaps the haproxy port maintainer can be persuaded to assign
> > > some account entry for this purpose.
> > > 
> > 
> > This wouldn't be a perfect solution. If you're going to be proxying
> > port 80 and 443 you need to initially run as root, but perhaps by
> > default in the config file we could drop privs to the haproxy user?
> 
> I am now testing proxying http(s) 80 and 443 to apache servers, but
> also tcp 3306 to mysql servers. I use separate profiles (which spawn
> separate instances if I understand well).
> 
> Maybe it would be good to drop http(s) to www user/group, and tcp 3306
> to mysql user/group? www user/group comes with default FreeBSD
> installation, and I would need to create mysql user/group manually with
> same parameters as mysql port creates them (no problem).
> 
> Does this sound reasonable?
>

That seems to be a solid idea for your environment.

I'm working on a patch for the port that introduces an haproxy user and
also installs an example config file with the uid and gid already set as
well as chroot being enabled by default.

That should alleviate the issue for new installations.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=199314


More information about the freebsd-ports mailing list