Comment on Is this mail something I should be concerned about?
sugar_in_your_tea@sh.itjust.works 1 week agoCaddy should never run sudo IMO, I think it’s also a software bug.
Comment on Is this mail something I should be concerned about?
sugar_in_your_tea@sh.itjust.works 1 week agoCaddy should never run sudo IMO, I think it’s also a software bug.
dgdft@lemmy.world 1 week ago
What would be the correct way for caddy to run actions like this that require elevated permissions, in your view?
sugar_in_your_tea@sh.itjust.works 1 week ago
Don’t require elevated permissions. Either grant the user it runs as permission to that dir, or instruct it to use a different dir that it has access to. Services should have the least permissions possible.
dgdft@lemmy.world 1 week ago
That’s how it already works — Caddy doesn’t require elevated privileges in general. You can toss a binary + config + certs anywhere in the homedir and it’ll go fine if you bind to a non-privileged port.
But users want software to do stuff like help set up certs and serve on ports 80 & 443, so what better option is there than to limit scope of execution by doing pinhole actions with sudo?
sugar_in_your_tea@sh.itjust.works 1 week ago
For binding privileged ports like 80 and 443, use CAP_NET_BIND_SERVICE. For access to protected directories, adjust permissions.
At no point should sudo be necessary, that’s how you get security vulnerabilities.