In this blog, we’ll explain how to run HAProxy Service as a non-root user in Linux. As per Security considerations, HAProxy is designed to run with very limited privileges and if any future vulnerability were to be discovered, its compromise would not affect the rest of the system.
Steps to run HAProxy Service as a non-root user in Linux
- Check by which user HAProxy service is running
# ps –ef|grep haproxy
- Take the backup of HAProxy configuration file – If you have more than one backup then take backup w.r.t date-time this will avoid confusion.
# cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg_$(date +%Y%m%d_%H%M)
- Create HAProxy user and group with no-login – (Ignore if already created)
#usermod -s /sbin/nologin <username >
- Add user and group in file ” /etc/haproxy/haproxy.cfg ”
user haproxy group haproxy
- Check HAProxy.cfg configuration file is valid or not
#service haproxy check
- Restart HAProxy Service
#service haproxy restart
- Now, Confirm which user running HAProxy service
#ps –ef | grep haproxy
- You can also verify haproxy logs.
As per best practices, HAProxy should run with very limited privileges. The HAProxy best practices to use it is to isolate it into a chroot jail and to drop its privileges to a non-root user without any permissions inside this jail which will result to any future vulnerability were to be discovered, its compromise would not affect the rest of the system.
It is pointless to build hand-made chroots to start the process there, these ones are painful to build, are never properly maintained and always contain way more bugs than the main file-system.
Unfortunately, many administrators confuse “start as root” and “run as root”, resulting in the uid change to be done prior to starting haproxy, and reducing the effective security restrictions.
HAProxy will need to be started as root in order to :
– adjust the file descriptor limits
– bind to privileged port numbers
– bind to a specific network interface
– transparently listen to a foreign address
– isolate itself inside the chroot jail
– drop to another non-privileged UID
HAProxy may require to be run as root in order to :
– bind to an interface for outgoing connections
– bind to privileged source ports for outgoing connections
– transparently bind to a foreing address for outgoing connections
Most users will never need the “run as root” case. But the “start as root” covers most usages.
A safe configuration will have:
– a chroot statement pointing to an empty location without any access
permissions. This can be prepared this way on the UNIX command line:
# mkdir /var/empty && chmod 0 /var/empty || echo "Failed" chroot /var/empty
– add user and group statements in the global section :
user haproxy group haproxy
stats socket /var/run/haproxy.stat uid hatop gid hatop mode 600
End of the tutorial, How to run HAProxy Service as a non-root user in Linux.
Read this also: