API hardening: Limit access

_ahoi · October 1, 2024, 9:18am

Hello everyone,

1. The problem I’m having:

I don’t really have a problem. I just want to understand concepts of caddy better.

I understand that caddy uses an API. I am free to disable this API by using

{
  admin off
}

If I do so, the command systemctl reload caddy will fail, because the unit file describes that command as:

/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force

and this seems to use the API.

But here begins my problem: I got different users on a system. All of these users can login using ssh and, even if I limit the caddy port using the firewall, edit the caddy config using the API.

This is, of course, something I want to prevent.

What would be the best way to:

Allow the usage of systemctl reload caddy
Limit the usage of the API in order to forbid other users than the root or caddy user to modify the config

3. Caddy version:

caddy version
v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=

4. How I installed and ran Caddy:

From package

a. System environment:

Ubuntu 24.04

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

Mohammed90 · October 1, 2024, 9:39am

You can configure the admin endpoint to listen on a unix socket, which allows you to control which users can access it via the file system ACL. This is mentioned in the admin section on the Caddyfile Global options page, which I’ve linked to directly in the below.

_ahoi · October 1, 2024, 10:09am

Thanks. That’s a good finding, thanks.

So I’d assume that Caddy will take care of creating that socket on service start.

Once I restart caddy, I am getting this error:

Oct 01 04:52:53 server1 caddy[54892]: Error: loading initial config: loading new config: starting caddy administration endpoint: listen unix /run/caddy-admin.sock: bind: permission denied

Okay. /run is owned by root and caddy is using a separate user, so I guess, caddy cannot create that socket. So I changed it to:

  admin unix//etc/caddy/socket/caddy-admin.sock
}

which is writeable for that user:

drwxr-xr-x   2 caddy caddy 4.0K Oct  1 05:03 socket

But still it’s having it’s troubles:

Oct 01 05:03:31 server1 caddy[54982]: Error: loading initial config: loading new config: starting caddy administration endpoint: unable to set permissions (--w-------) on /etc/caddy/socket/caddy-admin.sock: chmod /etc/caddy/socket/caddy-admin.sock: no such file or directory

Mohammed90 · October 1, 2024, 11:08am

The standard systemd unit file shipped with Caddy uses ProtectSystem=full, which makes most directories inaccessible except for selected few. Systemd documentation elaborates more on this config.

https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ProtectSystem=

You can use the systemd ReadWritePaths directive to override the restriction for selected paths.

https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ReadWritePaths=

We document here how to override some of the systemd configuration we ship with Caddy.

When configuring Caddy with a unix socket, you can customize the permission bits set on the socket.

Conventions — Caddy Documentation.

eriksjolund · October 13, 2024, 8:27am

caddy 2.9.0 (yet to be released) will have support for socket activation.

It looks like the admin API socket can be configured with socket activation too.

I verified that it is possible to set ownership of the socket file in the socket unit.
For example the file
/etc/systemd/system/caddy.socket
could contain

[Socket]
ListenStream=0.0.0.0:8080
ListenStream=/run/caddy.sock
SocketMode=0600
SocketUser=core
SocketGroup=core
[Install]
WantedBy=sockets.target

In this example the unix socket can be used for the admin API by adding

{
  auto_https disable_redirects
  admin fd/4
}

to a Caddyfile.

The number 4 is used because the Unix socket is the second socket in the unit file. For details about the counting, see SD_LISTEN_FDS_START in the man page sd_listen_fds

system · November 12, 2024, 8:27am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.