Run hbbr and hbbs not as root
Kurgan- opened this issue · comments
I have just installed the debian packages rustdesk-server-hbbr_1.1.10-3_amd64.deb and rustdesk-server-hbbs_1.1.10-3_amd64.deb on a Debian 11 vm.
Everything works flawlessly, but I have seen that the executables are run as the root user.
I'd like to have them run as a dedicated non privileged user instead of root.
Since the program does not make use (at least by default) of lower ports, even a normal user can run it without issues.
I have modified the systemd units to make it run with a "rustdesk" user and group I have created, I have chowned the /var/log/rustdesk and /var/lib/rustdesk directories (and their contents) and indeed the server works fine without being root.
This allows for a little better security overall in case of some RCE flaw in hbbr and hbbs.
Good idea!
Can you share your work with the community by creating a PR with your modification?
I'm not familiar with github so I'll have to study on how to make it.
Running as root is a horrible idea.
You can easily run hbbr
and hbbs
as normal users. You can even use my super awesome systemd service, make sure to modify the user/group and paths.
In this case I created a normal user:
useradd -m hbb
Uncompressed rustdesk archive under
/home/hbb
Which created the subdirectory amd64 from the archive as:
/home/hbb/amd64
Then created two systemd services:
[Unit]
Description=HBBR Service
Requires=systemd-modules-load.service
After=systemd-modules-load.service
[Service]
Type=simple
Restart=on-failure
User=hbb
Group=hbb
WorkingDirectory=/home/hbb/amd64
ExecStart=/home/hbb/amd64/hbbr
StandardOutput=append:/home/hbb/amd64/relayserver.log
StandardError=append:/home/hbb/amd64/relayserver.error
[Install]
WantedBy=multi-user.target
[Unit]
Description=HBBS Service
Requires=systemd-modules-load.service
After=systemd-modules-load.service
[Service]
Type=simple
Restart=on-failure
User=hbb
Group=hbb
WorkingDirectory=/home/hbb/amd64
ExecStart=/home/hbb/amd64/hbbs
StandardOutput=append:/home/hbb/amd64/signalserver.log
StandardError=append:/home/hbb/amd64/signalserver.error
[Install]
WantedBy=multi-user.target
Finally, if you are using Alma, Rocky or Oracle Linux (derivatives of RHEL) then you also need to give some extra permissions to SELinux, here is the SELinux module with the required permissions:
module hbb 1.3;
require {
type init_t;
type user_home_t;
class file { ioctl append create execute execute_no_trans lock map open read write };
}
#============= init_t ==============
allow init_t user_home_t:file { execute execute_no_trans lock map open read write };
allow init_t user_home_t:file create;
allow init_t user_home_t:file append;
allow init_t user_home_t:file ioctl;
I hope this helps others get more secure and NEVER run as root !!! woot !!!
BTW, if you run with pm2
, it is not root either. I never run hbbs/hbbr
as root.
https://rustdesk.com/docs/en/self-host/rustdesk-server-oss/install/#option-2