Running as Unprivileged User on OSX

Anyone had any luck getting caddy to run under a non-root user account on OSX?

Unfortunately OSX doesn’t have setcap available and the nearest thing I’ve found which looks like it should do the job is OSX-authbind. Unfortunately I’ve not had much luck getting it working.

Ive added the following files to /etc/authbind/byport/, chowned them to my user and chmod 755’ed them:

$ ls -al /etc/authbind/byport

-rwxr-xr-x  1 myusername  staff    0 27 Sep 12:30 443
-rwxr-xr-x  1 myusername  staff    0 27 Sep 12:30 80

From my understanding of authbind’s pretty sparse documentation, that should do the trick by allowing processes started by me [ie. the Caddy process] to access ports 80 and 443. However, when I issue the command authbind caddy I get the following error:

fatal error: runtime: bsdthread_register error (unset DYLD_INSERT_LIBRARIES)

runtime stack:
runtime.throw(0x64264c, 0x3f)
       	/usr/local/go/src/runtime/panic.go:566 +0x95 fp=0x7fff5fbff9e0 sp=0x7fff5fbff9c0
       	/usr/local/go/src/runtime/os_darwin.go:86 +0x85 fp=0x7fff5fbffa10 sp=0x7fff5fbff9e0
       	/usr/local/go/src/runtime/proc.go:450 +0x9c fp=0x7fff5fbffa50 sp=0x7fff5fbffa10
runtime.rt0_go(0x7fff5fbffa88, 0x1, 0x7fff5fbffa88, 0x0, 0x0, 0x1, 0x7fff5fbffbb0, 0x0, 0x7fff5fbffbb6, 0x7fff5fbffbc5, ...)
       	/usr/local/go/src/runtime/asm_amd64.s:145 +0x14f fp=0x7fff5fbffa58 sp=0x7fff5fbffa50

I’ve no idea where to even start dissecting that one. Can anyone give me a clue?

I haven’t used authbind before, but my guess is the Go program is failing to start as the runtime is blocked. If I were a betting man, I would assume it is because the process didn’t actual have true privilege escalation. In my experience MacOS doesn’t really have an equivalent to Linux capabilities. Generally, you have to bind the process to a higher port (like 8080) and use rules in pf to redirect traffic to it. All that being said, is there a reason you need to run Caddy on those ports on your Mac?

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.