Runninng novnc and x11vnc as systemd services
For security reasons it's best practice not to run any services as the root user. There are two services we need to run as two separate users. One is the noVNC service that runs noVNC and serves web content.
To do this we need to enable non-root users to open low lever ports. For this we need to install authbind
. Authbind allows us to bind sockets to privileged ports without root. To enable binding to port 443 (standard ssl port) issue
sudo touch /etc/authbind/byport/443
Now we can create the noVNC systemd service by putting a file with contents like below in /etc/systemd/system/novnc.service
[Service]
User=www-data
ExecStart=
ExecStart=authbind --deep novnc --listen 443 --cert /etc/letsencrypt/live/suda.formatc.hr/fullchain.pem --key /etc/letsencrypt/live/suda.formatc.hr/privkey.pem
[Install]
WantedBy=graphical.target
The User parameter should be set to an unprivileged user different then the kiosk user that runs the xorg session.
We can now enable the service by issuing
sudo systemctl enable novnc.service
Adding a systemd service as an unprivilledged user
To be able to run a service as the jailed user we need to create and enable a systemd service as that user (after adding systemd to the jail).
We do that by creating a new file under the .config directory in the desired user's home folder - ¨/.config/systemd/user/x11vnc.service
with the following contents:
[Unit]
Description=VNC Server for X11
[Service]
ExecStart=x11vnc -shared -forever -noxdamage -localhost -noxrecord -nopw -many
>Restart=always
[Install]
WantedBy=default.target
Note that the Install part should only have WantedBy=default.target
as other systemd targets don't seem to work in user mode.
After creating the file issuing
systemctl --user enable x11vnc.service
will set the service to boot at startup. The Restart=always option will tell it to always restart if it fails for any reason.
Issuing sudo reboot
will reboot the system and test if the services work.