Runninng novnc as a service

In the attempt to make SUDA as secure as possible it's best practice to not run any services as the root user. There are two services we need to run as two separate users. One is the noVNC service that runs noVNC and serves web content.

To do this we need to enable non-root users to open low lever ports. For this we need  

Adding a systemd service as an unprivilledged user

To be able to do that as a jailed user we need to create and enabke a systemd service as a user (after adding systemd to the jail).

We do that by creating a new file under the desired user's home folder (in this case ¨/.config/systemd/user/x11vnc.service) with the following contents:

[Unit]
Description=VNC Server for X11

[Service]
ExecStart=x11vnc -shared -forever -noxdamage -localhost -noxrecord -nopw -many >
Restart=always

[Install]
WantedBy=default.target

Note that the Install part should only have WantedBy=default.target as other systemd targets don't seem to work in user mode.

After creating the file issuing

systemctl --user enable x11vnc.service

Will set the service to boot at startup and the Restart part will tell it to always restart if it fails for any reason.

Issuing sudo reboot will reboot the system and test if the service works.