Run hbbr and hbbs not as root

Question

Run hbbr and hbbs not as root

Kurgan- opened this issue 4 months ago · comments

I have just installed the debian packages rustdesk-server-hbbr_1.1.10-3_amd64.deb and rustdesk-server-hbbs_1.1.10-3_amd64.deb on a Debian 11 vm.

Everything works flawlessly, but I have seen that the executables are run as the root user.

I'd like to have them run as a dedicated non privileged user instead of root.

Since the program does not make use (at least by default) of lower ports, even a normal user can run it without issues.

I have modified the systemd units to make it run with a "rustdesk" user and group I have created, I have chowned the /var/log/rustdesk and /var/lib/rustdesk directories (and their contents) and indeed the server works fine without being root.

This allows for a little better security overall in case of some RCE flaw in hbbr and hbbs.

Paolo Asperti · Answer 1 · Mon Feb 05 2024 01:29:18 GMT+0800 (China Standard Time)

Good idea!
Can you share your work with the community by creating a PR with your modification?

Kurgan- · Answer 2 · Mon Feb 05 2024 01:37:19 GMT+0800 (China Standard Time)

I'm not familiar with github so I'll have to study on how to make it.

Paolo Asperti · Answer 3 · Mon Feb 05 2024 01:49:17 GMT+0800 (China Standard Time)

Systemd units are here: hbbr and hbbs

You should also consider user creation when the package is installed. some docs

Julian Atkins · Answer 4 · Sat Feb 10 2024 04:01:25 GMT+0800 (China Standard Time)

Running as root is a horrible idea.

You can easily run hbbr and hbbs as normal users. You can even use my super awesome systemd service, make sure to modify the user/group and paths.

In this case I created a normal user:
useradd -m hbb

Uncompressed rustdesk archive under
/home/hbb

Which created the subdirectory amd64 from the archive as:
/home/hbb/amd64

Then created two systemd services:

[Unit]
Description=HBBR Service
Requires=systemd-modules-load.service
After=systemd-modules-load.service

[Service]
Type=simple
Restart=on-failure
User=hbb
Group=hbb
WorkingDirectory=/home/hbb/amd64
ExecStart=/home/hbb/amd64/hbbr
StandardOutput=append:/home/hbb/amd64/relayserver.log
StandardError=append:/home/hbb/amd64/relayserver.error

[Install]
WantedBy=multi-user.target

[Unit]
Description=HBBS Service
Requires=systemd-modules-load.service
After=systemd-modules-load.service

[Service]
Type=simple
Restart=on-failure
User=hbb
Group=hbb
WorkingDirectory=/home/hbb/amd64
ExecStart=/home/hbb/amd64/hbbs
StandardOutput=append:/home/hbb/amd64/signalserver.log
StandardError=append:/home/hbb/amd64/signalserver.error

[Install]
WantedBy=multi-user.target

Finally, if you are using Alma, Rocky or Oracle Linux (derivatives of RHEL) then you also need to give some extra permissions to SELinux, here is the SELinux module with the required permissions:


module hbb 1.3;

require {
	type init_t;
	type user_home_t;
	class file { ioctl append create execute execute_no_trans lock map open read write };
}

#============= init_t ==============

allow init_t user_home_t:file { execute execute_no_trans lock map open read write };
allow init_t user_home_t:file create;
allow init_t user_home_t:file append;
allow init_t user_home_t:file ioctl;

I hope this helps others get more secure and NEVER run as root !!! woot !!!

RustDesk · Answer 5 · Fri Feb 16 2024 10:50:15 GMT+0800 (China Standard Time)

BTW, if you run with pm2, it is not root either. I never run hbbs/hbbr as root.

https://rustdesk.com/docs/en/self-host/rustdesk-server-oss/install/#option-2