aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorGeorge Hartzell <[email protected]>2019-07-18 14:19:21 -0700
committerMatt Holt <[email protected]>2019-07-18 15:19:21 -0600
commitd411b7d087d81081022c91a3030d0c774f03f1da (patch)
treef2ba9d560aa18b175c3bf502b95862bc26111007
parent580f7677adc4537c75609d3526227410ca9b82d3 (diff)
downloadcaddy-d411b7d087d81081022c91a3030d0c774f03f1da.tar.gz
caddy-d411b7d087d81081022c91a3030d0c774f03f1da.zip
Add doc re running as non-root user on FreeBSD (#2655)
Add a README.md in `dist/init/freebsd` that describes how to configure the system so that `caddy` can be run without root privileges.
-rw-r--r--dist/init/freebsd/README.md52
1 files changed, 52 insertions, 0 deletions
diff --git a/dist/init/freebsd/README.md b/dist/init/freebsd/README.md
index 2aad25d1a..d2b38e667 100644
--- a/dist/init/freebsd/README.md
+++ b/dist/init/freebsd/README.md
@@ -1,3 +1,55 @@
+# Running caddy without root privileges
+
+FreeBSD systems can use the mac_portacl module to allow access to
+ports below 1024 by specific users (by default, non-root users are not
+able to open ports below 1024).
+
+On a stock FreeBSD system, you need to:
+
+1. Add the following line to `/boot/loader.conf`, which tells the boot
+ loader to load the `mac_portacl` kernel module:
+
+ ``` shell
+ mac_portacl_load="YES"
+ ```
+
+2. Add the following lines to `/etc/sysctl.conf`
+
+ ``` shell
+ net.inet.ip.portrange.reservedlow=0
+ net.inet.ip.portrange.reservedhigh=0
+ security.mac.portacl.port_high=1023
+ security.mac.portacl.suser_exempt=1
+ security.mac.portacl.rules=uid:80:tcp:80,uid:80:tcp:443
+ ```
+
+ The first two lines disable the default restrictions on ports <
+ 1023, the third makes the `mac_portacl` system responsible for ports
+ from 0 (the default) up to 1023, and the fourth ensures that the
+ superuser can open *any* port.
+
+ The final/fifth line specifies two rules, separated by a `,`:
+
+ - the first gives the `www` user (uid = 80) access to the `http`
+ port (80); and
+ - the second gives the `www` user (uid = 80) access to the `https`
+ port (443).
+
+ Other/additional rules are possible, e.g. access can be constrained
+ by membership in the `www` *group* using the `gid` specifier:
+
+ ```
+ security.mac.portacl.rules=gid:80:tcp:80,gid:80:tcp:443
+ ```
+
+## See also
+
+- The *MAC Port Access Control List Policy* section of the [Available
+ MAC
+ Policies](https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac-policies.html)
+ page.
+- [Caddy issue #1923](https://github.com/mholt/caddy/issues/1923).
+
# Logging the caddy process's output:
Caddy's FreeBSD `rc.d` script uses `daemon` to run `caddy`; by default