Start via systemd as unpriviledged user for security reasons

[pixel...@gmail.com]

The debian installer starts picapport as root, which is not best practice from a security prospective.

following systemd config file, will launch picapport as a user "picapport". This user must exists in the system and /opt/picapport and /srv/photos should be owned by this user or at least accessible.

contents of file /etc/systemd/system/picapport-user.service

[Unit]
Description=Picapport as unpriviledged User
After=network.service

[Service]

# allow bind to privileged ports

AmbientCapabilities=CAP_NET_BIND_SERVICE
Type=forking

User=picapport
Group=picapport
WorkingDirectory=/opt/picapport
ExecStart=/usr/bin/screen -d -m -S picapport bash /opt/picapport/StartPicApport.sh
ExecStop=/usr/bin/screen -S picapport -p 0 -X stuff 'exit^M'

# screen doesn't return exit code 0 in any case

SuccessExitStatus=1
RestartSec=15
Restart=always

[Install]
WantedBy=multi-user.target

Switch to the new service

• systemctl daemon-reload
• systemctl disbale picapport
• systemctl disbale picapport-user
• systemctl start picapport-user

Troubleshooting:

Especially if you mirgate from a root owned setup, you may run into permission problems.

To get better logging and find the issues:

Make sure you can start picapport as user picapport:

Change the port in /opt/picapport/.picapport/picapport.properties to a unprivileged one (e.g. 8080)

First run: bash /opt/picapport/StartPicApport.sh

If it is successful, run /usr/bin/screen -d -m -S picapport bash /opt/picapport/StartPicApport.sh

and stop picapport again with: /usr/bin/screen -S picapport -p 0 -X stuff 'exit^M'

I hope this helps to run picapport a little bit more secure and it will make it into the debian package at one point.

Bye

  Thomas

[Thomas König]

Thanks for sharing this. It was exactly what I was looking for but didn't figure out myself.

Cheers, Thomas