Comments (4)
tschettervictor
commented on June 30, 2024
1
Excellent.
I’m linking to a thread with two possible solutions.
Solution
from caddy-cgi.
aksdb
commented on June 30, 2024
If binding to port 80 is your only reason for running as root, you should look into capabilities and especially the capability CAP_NET_BIND_SERVICE. If your service is run with that, it is allowed to bind to priviledges ports even if it is not root.
from caddy-cgi.
tschettervictor
commented on June 30, 2024
I have other reason, like security.
It’s just easier to run caddy as root.
Possible to set the uid/gid for the cgi process maybe?
Maybe run caddy as root then switch to www?
I’m on FreeBSD btw
from caddy-cgi.
aksdb
commented on June 30, 2024
I have other reason, like security.
Security should be higher when not run as root.
I have not enough knowledge to advice on best practices for FreeBSD though. So I'll have to take your word for it.
Possible to set the uid/gid for the cgi process maybe?
Not without bigger rework or less code-reuse. The cgi.Handler doesn't allow customizing the os.exec calls. So I would have to replicate (or copy and then modify) the whole cgi package just to pass another parameter to the process creation.
Maybe run caddy as root then switch to www?
Not that I am aware of. I think in the age of containers and cgroups, there is simply no good reason to trust a process with forking itself into a lesser-priviledged child process.
So IMO you have these options:
- Find out, why the script behaves differently when run as root vs non-root. Maybe it has a "am I root"-check and denies running then?
- Wrap the script with something like
sudoto run it as a different user. - Run Caddy with less privileges (as a container or something similar ... whatever FreeBSD offers for that).
- Run a second Caddy with less privileges and reverse-proxy to it.
from caddy-cgi.
Related Issues (12)
- Q about uid/gid permissions
- 404 in combination with file_server HOT 1
- Error when builing module HOT 5
- error when using both cgi and static files HOT 2
- Possible to do an nph option? HOT 6
- SCRIPT_NAME is not stripped from PATH_INFO when a placeholder is used HOT 2
- Upstream possible? HOT 4
- Issue with empty POST_DATA with Content-Type "application/x-www-form-urlencoded" HOT 1
- module declares its path as: github.com/jung-kurt/caddy-cgi HOT 1
- Module does not build anymore HOT 4
- CGI error: fork/exec (File not found on Windows) HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from caddy-cgi.