Updating Caddy: kldload: can't load mac_portacl: Operation not permitted

GJSchaller

GJSchaller

Contributor
Joined
Feb 10, 2021
Messages
100
I recenlty was running package updates on my jails, and one of them running Caddy gave me the following message on update:

Message from caddy-2.7.6:

--
It is STRONGLY RECOMMENDED to run Caddy as an unprivileged user, such as
www:www, rather than the current default of root:wheel.

If you have relied upon earlier defaults:

- Use security/portacl-rc to enable privileged port binding:

# pkg install security/portacl-rc
# sysrc portacl_users+=www
# sysrc portacl_user_www_tcp="http https"
# sysrc portacl_user_www_udp="https"
# service portacl enable
# service portacl start

- Stop the server, and update ownership on Caddy runtime files:

# service caddy stop
# chown -R www:www /var/db/caddy /var/log/caddy /var/run/caddy

Other changes may be necessary depending on your exact Caddy
configuration.

- Change the default runtime user, and restart the server:

# sysrc caddy_user=www caddy_group=www
# service caddy start
Click to expand...

I followed these steps, but ran into an issue with "service portacl start":

root@piwigo:~ # service portacl start
kldload: can't load mac_portacl: Operation not permitted
/usr/local/etc/rc.d/portacl: WARNING: Unable to load kernel module mac_portacl
root@piwigo:~ #
Click to expand...

What do I need to do to correct this, so that I can update Caddy to run as www and not as root?

This is in a FreeBSD 13.2-RELEASE-p10 jail, with all packages current as of March 16th, running on TrueNAS-13.0-U6.1

@danb35 - if your creation scripts take care of this already, I can just nuke the jail and rebuild it.
 
victort

victort

Guru
Joined
Dec 31, 2021
Messages
973
GJSchaller said:
I recenlty was running package updates on my jails, and one of them running Caddy gave me the following message on update:



I followed these steps, but ran into an issue with "service portacl start":



What do I need to do to correct this, so that I can update Caddy to run as www and not as root?

This is in a FreeBSD 13.2-RELEASE-p10 jail, with all packages current as of March 16th, running on TrueNAS-13.0-U6.1

@danb35 - if your creation scripts take care of this already, I can just nuke the jail and rebuild it.
Click to expand...
This is really not allowed in jails, as the security is too high.

Have a look at this thread.

SOLVED - jail running service on privileged port <1024

A while back i tired to change all the default port that my jails used to port 80 or 443 as I have so many I can not remember most of them and have to google search to find the correct port. e.g couch potato uses 5050, sickchill uses 8080. The problem is that when i change the port in the...
www.truenas.com www.truenas.com
 
GJSchaller

GJSchaller

Contributor
Joined
Feb 10, 2021
Messages
100
OK, that makes me feel a bit better, thank you. Is the inherent security of a Jail enough that i don't need to worry about running Caddy as www, or should I make the change?
 
victort

victort

Guru
Joined
Dec 31, 2021
Messages
973
GJSchaller said:
OK, that makes me feel a bit better, thank you. Is the inherent security of a Jail enough that i don't need to worry about running Caddy as www, or should I make the change?
Click to expand...
I’m also waiting for that answer.
 
You must log in or register to reply here.

Similar threads

M
Unable to get Caddy Server V2 to start on start up
Replies
1
Views
1K
Basil Hendroff
Basil Hendroff
toxikat
Networking issues accessing Nextcloud behind Caddy + Cloudflare
Replies
13
Views
463
victort
victort
A
Piwigo 14 Plugin for TrueNAS 13 Release and PHP 8.3 - ready to test!
2
Replies
31
Views
14K
AfroUSA
A
Martin Aspeli
RC script daemon fails if PID set
Replies
19
Views
465
Patrick M. Hausen
Patrick M. Hausen
statik
FreeNAS 11.2 US3 w/ Plex Pass, Radarr, Tautulli, NZBget, & Medusa. Manual Install
Replies
15
Views
5K
msbxa
M
Top