New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
caddy 2.6.4 package setcaps directly #44500
Comments
Alpine also sets this capability and I think our service might not work without it because caddy doesn't run as root there |
Not running caddy as root is good. The suggested changes to use setpriv makes it work in an equivalent way. I am using caddy, and I am running with those changes. (Might need to change runtime pkg dependencies, as chpst does not have this, well, capability) If Alpine distributes a setcap binary, then they too have an issue. Capabilities are not meant to be given to binaries that don't verify their uses. They are a responsibility of things split from the all-powerful root permissions. The binary installed here allows everyone to bind to nonprivileged ports, which normally is restricted to root. With this binary, it's possible to do that by any user. This might be a CVE level issue. It's not with caddy, caddy does not expect users to have this capability - it's only making single user development easier, but bad on a generic Linux/Unix system in general. This is what Apache has to say about the scheme if used for development: Allow me to describe a full demonstration of what the problem is: (void with no caddy installed, just to not disturb the configuration):
expected result: after stopping it with as a nonroot user:
Now, in another window, |
Alpine uses setcap for caddy because:
|
Is this a new report?
Yes
System Info
Void 6.3.6_1 x86_64 AuthenticAMD uptodate F
Package(s) Affected
caddy-2.6.4_2
Does a report exist for this bug with the project's home (upstream) and/or another distro?
Possibly not, it's directly related to the package's INSTALL file using setcap, which contradicts recommended operational practices.
Expected behaviour
caddy, when started by activating it in /var/service, should be able to open privileged ports such as 443 and 80, but it should not grant this permission to users in general.
Actual behaviour
When the caddy package is installed (does not even need to run), can squat on privileged ports as it has a capabilities directly set on the binary.
Steps to reproduce
Have a Caddyfile with the contents:
caddy run --config ./Caddyfile
then happily starts a server on port 23, when started as a normal user. (With an already running caddy with an enabled admin port, a minimal addition is needed for success)I don't think this is desirable. Other distributions normally use systemd to grant this capability only the caddy service installed/started by the system, not to the installed binary.
I recommend dropping the INSTALL file with setcap, and instead of chpst (as it doesn't seem to be capabilities aware), perhaps use setpriv for a similar effect:
This has been tested to provide functionality matching the current setup when run via a /var/service link, but not allowing any user to squat unused privileged ports with a configuration in their control.
The text was updated successfully, but these errors were encountered: