When I sshed into my server today, it said I had mail. I checked /var/mail/{myuser} and got a mail from caddy. The title was “SECURITY information for {hostname}”. The message was this.
caddy : user NOT in sudoers ; PWD=/ ; USER=root ; COMMAND=/usr/bin/tee /usr/local/share/ca-certificates/Caddy_Local_Authority_-_2025_ECC_Root_31435960950297150297199787413716908247066220.crt
I’m still learning this self-hosting thing, I know enough to set stuff up but I still know barely anything about security, and the message looks kinda scary, so I would like to know what it means, thanks in advance. Note that I was messing around with Caddy and stuff yesterday, so maybe that has something to do with it, but I’m not sure.
You must log in or # to comment.
I can’t believe it. The incident has actually been reported!
I don’t use Caddy, but it seems like it tried to generate and write a TLS certificate into
/usr/local, but didn’t have the necessary permissions. Basically it tried to usesudo tee ...to write a file. Is Caddy running in a container? If it is, you might need to create a volume at/usr/local/share/ca-certificates. If not in a container, you’ll need to grant thecaddyuser write permissions in that directory.But to answer your question directly, it’s not a cause for concern. You’re not getting hacked, it’s just a configuration error.
Caddy should never run sudo IMO, I think it’s also a software bug.
What would be the correct way for caddy to run actions like this that require elevated permissions, in your view?
Don’t require elevated permissions. Either grant the user it runs as permission to that dir, or instruct it to use a different dir that it has access to. Services should have the least permissions possible.
That’s how it already works — Caddy doesn’t require elevated privileges in general. You can toss a binary + config + certs anywhere in the homedir and it’ll go fine if you bind to a non-privileged port.
But users want software to do stuff like help set up certs and serve on ports 80 & 443, so what better option is there than to limit scope of execution by doing pinhole actions with sudo?
If you have anything exposed, scripts and bots are testing your server all day, every day. So long as you’ve got proper security in place, ignore the failed attempts.
You’re likely looking for this docs section for Caddy. The failure is the automated request to populate Caddy’s root CA cert to the host system, but obviously failed as it doesn’t have root permissions. As the docs state, if you intend to use the local HTTPS functionality of Caddy, you can manually run
caddy trustprivileged in order to populate the Caddy root CA cert manually. If you intend to disable the local HTTPS functionality (such as if you’re running Caddy behind a http reverse proxy), you can ignore the mail message.Thanks for clearing my anxieties :) Sometimes I feel an irrational fear that perhaps someone has broken into my server because of my lack of security knowledge, so having that mail come in was very anxiety inducing.
