Runninng novnc and x11vnc as systemd services
InFor thesecurity attempt to make SUDA as secure as possiblereasons it's best practice not to not run any services as the root user. There are two services we need to run as two separate users. One is the noVNC service that runs noVNC and serves web content.
To do this we need to enable non-root users to open low lever ports. For this we need to install authbind. Authbind allows us to bind sockets to privileged ports without root. To enable binding to port 443 (standard ssl port) issue
sudo touch /etc/authbind/byport/443
Now we can create the noVNC systemd service by putting a file with contents like below in /etc/systemd/system/novnc.service
[Service]User=www-dataExecStart=ExecStart=authbind --deep novnc --listen 443 --cert /etc/letsencrypt/live/suda.formatc.hr/fullchain.pem --key /etc/letsencrypt/live/suda.formatc.hr/privkey.pem
[Install]WantedBy=graphical.target
The User parameter should be set to an unprivileged user different then the kiosk user that runs the xorg session.
We can now enable the service by issuing
sudo systemctl enable novnc.service
Adding a systemd service as an unprivilledged user
To be able to dorun thata service as athe jailed user we need to create and enabkeenable a systemd service as athat user (after adding systemd to the jail).
We do that by creating a new file under the .config directory in the desired user's home folder (in- this case ¨/.config/systemd/user/x11vnc. with the following contents:service)service
[Unit]Description=VNC Server for X11
[Service]ExecStart=x11vnc -shared -forever -noxdamage -localhost -noxrecord -nopw -many >Restart=always
[Install]WantedBy=default.target
Note that the Install part should only have WantedBy=default.target as other systemd targets don't seem to work in user mode.
After creating the file issuing
systemctl --user enable x11vnc.service
Willwill set the service to boot at startupstartup. andThe theRestart=always Restart partoption will tell it to always restart if it fails for any reason.
Issuing sudo reboot will reboot the system and test if the serviceservices works.work.