How to securely allow a custom daemon to restart a proxy?

Posted on

Problem :

I have a custom daemon which manages a blacklist for my proxy (HAProxy). When the blacklist is updated I need to reload haproxy so that it has the most recent proxy. Unfortunately manually reloads of haproxy are not reasonable because the blacklist could be updated several times a day.

To solve this problem I created a script to reload haproxy but it needs to run as root so it can go through systemctl to be properly managed. This script is in the daemon user’s bin directory. I have also changed the ownership of the file to another user (root for now) and permissions to -r-xr-x—. I plan to add the daemon user to the sudoers file with no password access to this script.

I want to know is this practice “secure” or is there a better alternative?

Solution :

Yes, the correct way to set this up is to write a script which only does what the daemon needs, and create a specific sudoers entry to allow the daemon to execute the script. It’s crucial that the daemon user can’t modify the script though, so I wouldn’t store it in the daemon’s home directory. Rather put it somewhere like /usr/local/bin and make it only writeable by root.

Leave a Reply

Your email address will not be published. Required fields are marked *