Skip to main content

Runninng novnc and x11vnc as systemd services

InFor thesecurity attempt to make SUDA as secure as possiblereasons it's best practice not to not run any services as the root user. There are two services we need to run as two separate users. One is the noVNC service that runs noVNC and serves web content.

To do this we need to enable non-root users to open low lever ports. For this we need to install authbind. Authbind allows us to bind sockets to privileged ports without root. To enable binding to port 443 (standard ssl port) issue

sudo touch /etc/authbind/byport/443 

Now we can create the noVNC systemd service by putting a file with contents like below in /etc/systemd/system/novnc.service 

[Service]
User=www-data
ExecStart=
ExecStart=authbind --deep novnc --listen 443 --cert /etc/letsencrypt/live/suda.formatc.hr/fullchain.pem --key /etc/letsencrypt/live/suda.formatc.hr/privkey.pem

[Install]
WantedBy=graphical.target

The User parameter should be set to an unprivileged user different then the kiosk user that runs the xorg session.

We can now enable the service by issuing

sudo systemctl enable novnc.service

Adding a systemd service as an unprivilledged user


To be able to dorun thata service as athe jailed user we need to create and enabkeenable a systemd service as athat user (after adding systemd to the jail).

We do that by creating a new file under the .config directory in the desired user's home folder (in- this case ¨/.config/systemd/user/x11vnc.service)service with the following contents:

[Unit]
Description=VNC Server for X11

[Service]
ExecStart=x11vnc -shared -forever -noxdamage -localhost -noxrecord -nopw -many >
Restart=always

[Install]
WantedBy=default.target

Note that the Install part should only have WantedBy=default.target as other systemd targets don't seem to work in user mode.

After creating the file issuing

systemctl --user enable x11vnc.service

Willwill set the service to boot at startupstartup. andThe theRestart=always Restart partoption will tell it to always restart if it fails for any reason.

Issuing sudo reboot will reboot the system and test if the serviceservices works.work.