Updating Caddy: kldload: can't load mac_portacl: Operation not permitted

[GJSchaller]

I recenlty was running package updates on my jails, and one of them running Caddy gave me the following message on update:

Message from caddy-2.7.6:

--
It is STRONGLY RECOMMENDED to run Caddy as an unprivileged user, such as
www:www, rather than the current default of root:wheel.

If you have relied upon earlier defaults:

- Use security/portacl-rc to enable privileged port binding:

# pkg install security/portacl-rc
# sysrc portacl_users+=www
# sysrc portacl_user_www_tcp="http https"
# sysrc portacl_user_www_udp="https"
# service portacl enable
# service portacl start

- Stop the server, and update ownership on Caddy runtime files:

# service caddy stop
# chown -R www:www /var/db/caddy /var/log/caddy /var/run/caddy

Other changes may be necessary depending on your exact Caddy
configuration.

- Change the default runtime user, and restart the server:

# sysrc caddy_user=www caddy_group=www
# service caddy start

I followed these steps, but ran into an issue with "service portacl start":

root@piwigo:~ # service portacl start
kldload: can't load mac_portacl: Operation not permitted
/usr/local/etc/rc.d/portacl: WARNING: Unable to load kernel module mac_portacl
root@piwigo:~ #

What do I need to do to correct this, so that I can update Caddy to run as www and not as root?

This is in a FreeBSD 13.2-RELEASE-p10 jail, with all packages current as of March 16th, running on TrueNAS-13.0-U6.1

@danb35 - if your creation scripts take care of this already, I can just nuke the jail and rebuild it.

 

[victort]

I recenlty was running package updates on my jails, and one of them running Caddy gave me the following message on update:



I followed these steps, but ran into an issue with "service portacl start":



What do I need to do to correct this, so that I can update Caddy to run as www and not as root?

This is in a FreeBSD 13.2-RELEASE-p10 jail, with all packages current as of March 16th, running on TrueNAS-13.0-U6.1

@danb35 - if your creation scripts take care of this already, I can just nuke the jail and rebuild it.

This is really not allowed in jails, as the security is too high.

Have a look at this thread.

SOLVED - jail running service on privileged port <1024

A while back i tired to change all the default port that my jails used to port 80 or 443 as I have so many I can not remember most of them and have to google search to find the correct port. e.g couch potato uses 5050, sickchill uses 8080. The problem is that when i change the port in the...

www.truenas.com

 

[GJSchaller]

OK, that makes me feel a bit better, thank you. Is the inherent security of a Jail enough that i don't need to worry about running Caddy as www, or should I make the change?

 

[victort]

OK, that makes me feel a bit better, thank you. Is the inherent security of a Jail enough that i don't need to worry about running Caddy as www, or should I make the change?

I’m also waiting for that answer.