usbguard icon indicating copy to clipboard operation
usbguard copied to clipboard

Published 20 hours ago verified publisher icon USBGuard

Write PIDFile inside /var/run/usbguard directory

Open juspence opened this issue 3 years ago • 3 comments

Related to https://github.com/USBGuard/usbguard/issues/460, it is possible to run USBGuard as an unprivileged (non-root) user even with the -f option & Type=forking in the unit file. To get this to work, I had to:

  1. Add a new "usbguard" user and group using systemd-sysusers.
  2. Change ownership of "/etc/usbguard/" and "/var/log/usbguard/" to the "usbguard:usbguard" user and group. I may have changed other folders as well but I don't fully remember.
  3. Recompile USBGuard to write its PID file to the "/var/run/usbguard/" directory (which can be owned by "usbguard:usbguard") instead of "/var/run/" (which must be owned by root, so writing the PID file as an unprivileged user fails).
  4. Update the "PIDFile=/var/run/usbguard/usbguard.pid" option, and add the "User=usbguard", "Group=usbguard", and "SupplementaryGroups=" options to the unit file.

EDIT: 5) Add "CAP_DAC_OVERRIDE" to "AmbientCapabilities=" and "CapabilityBoundingSet=" in the unit file. This is needed so that USBGuard can actually write to the "authorized" properties of the different USB devices under /sys. I think this shouldn't be much of a security risk, since other hardening options in the unit file prevent arbitrary writes to the rest of the system. 6) Add "AmbientCapabilities=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE CAP_DAC_OVERRIDE" if you want to allow non-root users to manage USBGuard through the IPC interface.

And after testing, #3 is very obviously not necessary. USBGuard has the "-p" option to specify where the PID file is written to, no recompilation needed. That's what I get for looking at the source code before the man page...

It would be nice if the PID file was in its own folder by default, but it's not a major issue. Given that CAP_DAC_OVERRIDE is needed, I won't submit a PR to make running as a dedicated user the default. But for those who are interested, the above should be all that's needed to make it work.

juspence avatar Nov 20 '21 03:11 juspence

@hartwork Technically it's Systemd that creates this directory, but it does happen automatically when needed. The line "RuntimeDirectory=usbguard" in the unit file means "create /var/run/usbguard before the service starts".

juspence avatar Jan 28 '22 22:01 juspence

@juspence thanks for your reply. I think that means that all distros without systemd for an init system will have to extend their init script to create that directory on demand then.

hartwork avatar Jan 28 '22 22:01 hartwork

Does the PID file get deleted when the daemon exits due to RuntimeDirectory=usbguard? I am not sure if we do such a cleanup right now, but that could be useful as well.

Cropi avatar Sep 08 '22 08:09 Cropi