diff options
author | George Hartzell <[email protected]> | 2019-07-18 14:19:21 -0700 |
---|---|---|
committer | Matt Holt <[email protected]> | 2019-07-18 15:19:21 -0600 |
commit | d411b7d087d81081022c91a3030d0c774f03f1da (patch) | |
tree | f2ba9d560aa18b175c3bf502b95862bc26111007 | |
parent | 580f7677adc4537c75609d3526227410ca9b82d3 (diff) | |
download | caddy-d411b7d087d81081022c91a3030d0c774f03f1da.tar.gz caddy-d411b7d087d81081022c91a3030d0c774f03f1da.zip |
Add doc re running as non-root user on FreeBSD (#2655)
Add a README.md in `dist/init/freebsd` that describes how to configure
the system so that `caddy` can be run without root privileges.
-rw-r--r-- | dist/init/freebsd/README.md | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/dist/init/freebsd/README.md b/dist/init/freebsd/README.md index 2aad25d1a..d2b38e667 100644 --- a/dist/init/freebsd/README.md +++ b/dist/init/freebsd/README.md @@ -1,3 +1,55 @@ +# Running caddy without root privileges + +FreeBSD systems can use the mac_portacl module to allow access to +ports below 1024 by specific users (by default, non-root users are not +able to open ports below 1024). + +On a stock FreeBSD system, you need to: + +1. Add the following line to `/boot/loader.conf`, which tells the boot + loader to load the `mac_portacl` kernel module: + + ``` shell + mac_portacl_load="YES" + ``` + +2. Add the following lines to `/etc/sysctl.conf` + + ``` shell + net.inet.ip.portrange.reservedlow=0 + net.inet.ip.portrange.reservedhigh=0 + security.mac.portacl.port_high=1023 + security.mac.portacl.suser_exempt=1 + security.mac.portacl.rules=uid:80:tcp:80,uid:80:tcp:443 + ``` + + The first two lines disable the default restrictions on ports < + 1023, the third makes the `mac_portacl` system responsible for ports + from 0 (the default) up to 1023, and the fourth ensures that the + superuser can open *any* port. + + The final/fifth line specifies two rules, separated by a `,`: + + - the first gives the `www` user (uid = 80) access to the `http` + port (80); and + - the second gives the `www` user (uid = 80) access to the `https` + port (443). + + Other/additional rules are possible, e.g. access can be constrained + by membership in the `www` *group* using the `gid` specifier: + + ``` + security.mac.portacl.rules=gid:80:tcp:80,gid:80:tcp:443 + ``` + +## See also + +- The *MAC Port Access Control List Policy* section of the [Available + MAC + Policies](https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac-policies.html) + page. +- [Caddy issue #1923](https://github.com/mholt/caddy/issues/1923). + # Logging the caddy process's output: Caddy's FreeBSD `rc.d` script uses `daemon` to run `caddy`; by default |