Skip to main content

Runninng novnc and x11vnc as systemd services

For security reasons it's best practice not to run any services as the root user. There are two services we need to run as two separate users. One is the noVNC service that runs noVNC and serves web content.

To do this we need to enable non-root users to open low lever ports. For this we need to install authbind. Authbind allows us to bind sockets to privileged ports without root. To enable binding to port 443 (standard ssl port) issue

sudo touch /etc/authbind/byport/443 

Now we can create the noVNC systemd service by putting a file with contents like below in /etc/systemd/system/novnc.service 

[Service]
User=www-data
ExecStart=
ExecStart=authbind --deep novnc --listen 443 --cert /etc/letsencrypt/live/suda.formatc.hr/fullchain.pem --key /etc/letsencrypt/live/suda.formatc.hr/privkey.pem

[Install]
WantedBy=graphical.target

The User parameter should be set to an unprivileged user different then the kiosk user that runs the xorg session.

We can now enable the service by issuing

sudo systemctl enable novnc.service

Adding a systemd service as an unprivilledged user


To be able to run a service as the jailed user we need to create and enable a systemd service as that user (after adding systemd to the jail).

We do that by creating a new file under the .config directory in the desired user's home folder - ¨/.config/systemd/user/x11vnc.service with the following contents:

[Unit]
Description=VNC Server for X11

[Service]
ExecStart=x11vnc -shared -forever -noxdamage -localhost -noxrecord -nopw -many >
Restart=always

[Install]
WantedBy=default.target

Note that the Install part should only have WantedBy=default.target as other systemd targets don't seem to work in user mode.

After creating the file issuing

systemctl --user enable x11vnc.service

will set the service to boot at startup. The Restart=always option will tell it to always restart if it fails for any reason.

Issuing sudo reboot will reboot the system and test if the services work.