When I sshed into my server today, it said I had mail. I checked /var/mail/{myuser} and got a mail from caddy. The title was “SECURITY information for {hostname}”. The message was this.
caddy : user NOT in sudoers ; PWD=/ ; USER=root ; COMMAND=/usr/bin/tee /usr/local/share/ca-certificates/Caddy_Local_Authority_-_2025_ECC_Root_31435960950297150297199787413716908247066220.crt
I’m still learning this self-hosting thing, I know enough to set stuff up but I still know barely anything about security, and the message looks kinda scary, so I would like to know what it means, thanks in advance. Note that I was messing around with Caddy and stuff yesterday, so maybe that has something to do with it, but I’m not sure.
I can’t believe it. The incident has actually been reported!
I don’t use Caddy, but it seems like it tried to generate and write a TLS certificate into
/usr/local, but didn’t have the necessary permissions. Basically it tried to usesudo tee ...to write a file. Is Caddy running in a container? If it is, you might need to create a volume at/usr/local/share/ca-certificates. If not in a container, you’ll need to grant thecaddyuser write permissions in that directory.But to answer your question directly, it’s not a cause for concern. You’re not getting hacked, it’s just a configuration error.
Caddy should never run sudo IMO, I think it’s also a software bug.
What would be the correct way for caddy to run actions like this that require elevated permissions, in your view?
Don’t require elevated permissions. Either grant the user it runs as permission to that dir, or instruct it to use a different dir that it has access to. Services should have the least permissions possible.
That’s how it already works — Caddy doesn’t require elevated privileges in general. You can toss a binary + config + certs anywhere in the homedir and it’ll go fine if you bind to a non-privileged port.
But users want software to do stuff like help set up certs and serve on ports 80 & 443, so what better option is there than to limit scope of execution by doing pinhole actions with sudo?