Skip to content

Write PIDFile inside /var/run/usbguard directory#498

Open
juspence wants to merge 1 commit intoUSBGuard:mainfrom
juspence:master
Open

Write PIDFile inside /var/run/usbguard directory#498
juspence wants to merge 1 commit intoUSBGuard:mainfrom
juspence:master

Conversation

@juspence
Copy link

@juspence juspence commented Nov 20, 2021
edited
Loading

Related to #460, it is possible to run USBGuard as an unprivileged (non-root) user even with the -f option & Type=forking in the unit file. To get this to work, I had to:

  1. Add a new "usbguard" user and group using systemd-sysusers.
  2. Change ownership of "/etc/usbguard/" and "/var/log/usbguard/" to the "usbguard:usbguard" user and group. I may have changed other folders as well but I don't fully remember.
  3. Recompile USBGuard to write its PID file to the "/var/run/usbguard/" directory (which can be owned by "usbguard:usbguard") instead of "/var/run/" (which must be owned by root, so writing the PID file as an unprivileged user fails).
  4. Update the "PIDFile=/var/run/usbguard/usbguard.pid" option, and add the "User=usbguard", "Group=usbguard", and "SupplementaryGroups=" options to the unit file.

EDIT:
5) Add "CAP_DAC_OVERRIDE" to "AmbientCapabilities=" and "CapabilityBoundingSet=" in the unit file. This is needed so that USBGuard can actually write to the "authorized" properties of the different USB devices under /sys. I think this shouldn't be much of a security risk, since other hardening options in the unit file prevent arbitrary writes to the rest of the system.
6) Add "AmbientCapabilities=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE CAP_DAC_OVERRIDE" if you want to allow non-root users to manage USBGuard through the IPC interface.

And after testing, #3 is very obviously not necessary. USBGuard has the "-p" option to specify where the PID file is written to, no recompilation needed. That's what I get for looking at the source code before the man page...

It would be nice if the PID file was in its own folder by default, but it's not a major issue. Given that CAP_DAC_OVERRIDE is needed, I won't submit a PR to make running as a dedicated user the default. But for those who are interested, the above should be all that's needed to make it work.

hartwork
hartwork reviewed Jan 27, 2022
View reviewed changes
Copy link
Contributor

@hartwork hartwork left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@juspence does the USBGuard code create folder /var/run/usbguard anywhere if it's missing?

@juspence
Copy link
Author

juspence commented Jan 28, 2022

@hartwork Technically it's Systemd that creates this directory, but it does happen automatically when needed. The line "RuntimeDirectory=usbguard" in the unit file means "create /var/run/usbguard before the service starts".

@hartwork
Copy link
Contributor

hartwork commented Jan 28, 2022

@juspence thanks for your reply. I think that means that all distros without systemd for an init system will have to extend their init script to create that directory on demand then.

@Cropi
Copy link
Member

Cropi commented Sep 8, 2022

Does the PID file get deleted when the daemon exits due to RuntimeDirectory=usbguard? I am not sure if we do such a cleanup right now, but that could be useful as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@hartwork hartwork hartwork left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@juspence @hartwork @Cropi