Solved Run as root inside a jail?

C

ccammack

I'm using Tailscale on the router for remote access to hosts inside the LAN, but I would also like to protect a jailed instance of vaultwarden with a reverse proxy in the jail.

I've used Caddy on the other OS, and I really like the fact that it manages the certs, but the installer notes for FreeBSD indicate that it runs as root by default and gives instructions to run as the www user instead:

Code: 
# pkg install security/portacl-rc
# sysrc portacl_users+=www
# sysrc portacl_user_www_tcp="http https"
# sysrc portacl_user_www_udp="https"
# service portacl enable
# service portacl start
# sysrc caddy_user=www caddy_group=www

Following those instructions gives an error for mac_portacl:

Code: 
root@server:~ # service portacl start
kldload: can't load mac_portacl: Operation not permitted
/usr/local/etc/rc.d/portacl: WARNING: Unable to load kernel module mac_portacl

I could generate the certs using acme.sh and use a different reverse proxy, or run on the host itself, but this reminded me of something I've been wondering about for a long time:

In general, are jails locked down enough that it's reasonably safe to run as root inside them? How would you compare the risks of running as root in a jail against running as a non-root user on the host?
 
Good question. I’ve been running caddy as root for years, and occasionally wonder about this.

You can’t run caddy as any other user with ports below 1024, but I do notice in the rc script it says this is planned.
 
Would it make more sense to install the reverse proxy on the host itself rather than trying to install a separate instance in each jail?
 
You would only need to install it inside one jail, and point all your domain records to that one jail. That jail would then reverse proxy to any other service you would want to add.

Why do you think you need to install it inside each jail?
 
You must log in or register to reply here.
Back
Top