The debian installer starts picapport as root, which is not best practice from a security prospective.
following systemd config file, will launch picapport as a user "picapport". This user must exists in the system and /opt/picapport and /srv/photos should be owned by this user or at least accessible.
contents of file /etc/systemd/system/picapport-user.service
[Unit]
Description=Picapport as unpriviledged User
After=network.service
[Service]
# allow bind to privileged ports
AmbientCapabilities=CAP_NET_BIND_SERVICE
Type=forking
User=picapport
Group=picapport
WorkingDirectory=/opt/picapport
ExecStart=/usr/bin/screen -d -m -S picapport bash /opt/picapport/StartPicApport.sh
ExecStop=/usr/bin/screen -S picapport -p 0 -X stuff 'exit^M'
# screen doesn't return exit code 0 in any case
SuccessExitStatus=1
RestartSec=15
Restart=always
[Install]
WantedBy=multi-user.target
Switch to the new service
- systemctl daemon-reload
- systemctl disbale picapport
- systemctl disbale picapport-user
- systemctl start picapport-user
Troubleshooting:
Especially if you mirgate from a root owned setup, you may run into permission problems.
To get better logging and find the issues:
Make sure you can start picapport as user picapport:
Change the port in /opt/picapport/.picapport/picapport.properties to a unprivileged one (e.g. 8080)
First run: bash /opt/picapport/StartPicApport.sh
If it is successful, run /usr/bin/screen -d -m -S picapport bash /opt/picapport/StartPicApport.sh
and stop picapport again with:
/usr/bin/screen -S picapport -p 0 -X stuff 'exit^M'
I hope this helps to run picapport a little bit more secure and it will make it into the debian package at one point.
Bye
Thomas