Start via systemd as unpriviledged user for security reasons

59 views
Skip to first unread message

pixel...@gmail.com

unread,
Aug 12, 2020, 3:25:58 AM8/12/20
to PicApport
The debian installer starts picapport as root, which is not best practice from a security prospective.

following systemd config file, will launch picapport as a user "picapport". This user must exists in the system and /opt/picapport and /srv/photos should be owned by this user or at least accessible.

contents of file /etc/systemd/system/picapport-user.service
[Unit]
Description=Picapport as unpriviledged User
After=network.service

[Service]
# allow bind to privileged ports
AmbientCapabilities=CAP_NET_BIND_SERVICE
Type=forking

User=picapport
Group=picapport
WorkingDirectory=/opt/picapport
ExecStart=/usr/bin/screen -d -m -S picapport bash /opt/picapport/StartPicApport.sh
ExecStop=/usr/bin/screen -S picapport -p 0 -X stuff 'exit^M'

# screen doesn't return exit code 0 in any case
SuccessExitStatus=1
RestartSec=15
Restart=always

[Install]
WantedBy=multi-user.target


Switch to the new service
  • systemctl daemon-reload
  • systemctl disbale picapport
  • systemctl disbale picapport-user
  • systemctl start picapport-user
Troubleshooting:

Especially if you mirgate from a root owned setup, you may run into permission problems.
To get better logging and find the issues:
Make sure you can start picapport as user picapport:
Change the port in /opt/picapport/.picapport/picapport.properties to a unprivileged one (e.g. 8080)
First run: bash /opt/picapport/StartPicApport.sh
If it is successful, run /usr/bin/screen -d -m -S picapport bash /opt/picapport/StartPicApport.sh
and stop picapport again with: /usr/bin/screen -S picapport -p 0 -X stuff 'exit^M'

I hope this helps to run picapport a little bit more secure and it will make it into the debian package at one point.

Bye
  Thomas

Thomas König

unread,
Nov 14, 2021, 5:25:01 AM11/14/21
to PicApport
Thanks for sharing this. It was exactly what I was looking for but didn't figure out myself.

Cheers, Thomas
Reply all
Reply to author
Forward
0 new messages