[Feature Request] 2 suggestions for trojan.service-example

[xiruizhao]

1. mysql seems to install only a service named mysql.service on Ubuntu Focal (Debian defaults to mariadb now so I didn't check). Is mysqld.service installed on other distros?
2. SSL certificates should be root-owned and only root-readable (since they prove that you are example.com). Since trojan has to read SSL certificates, trojan should run as root instead of nobody (is it secure to do this?).

[GreaterFire]

@xiruizhao 1. It's not a problem. Systemd will only wait for services that exist. 2. You can use groups to solve this problem.

[xiruizhao]

1. I'm just wondering why you added mysqld.service in the first place.
2. By using groups, you mean
   1. addgroup --system ssl-access
   2. chmod g+r <ssl.cert> and chgrp ssl-access <ssl.cert>
   3. add Group=ssl-access for trojan.service

right? Do you plan to add a helper script for that (in the Debian package)? As far as I understand, trojan is fairly secure, so I think it's better to change to User=root.

[xiruizhao]

I will try to write a script. Perhaps you can review it later.

[xiruizhao]

I tried the setup and just realized trojan requires access to port 443, so it has to be ~root~ a system user (nobody wouldn't work).

[xiruizhao]

I think you can consider changing User=trojan in trojan.service and add a trojan.postinstall in debian.tar.xz similar to the following snippet

set -e

test $DEBIAN_SCRIPT_DEBUG && set -v -x

case "$1" in
  configure)
    if ! getent passwd trojan > /dev/null; then
        adduser --quiet \
                --system \
                --group \
                --no-create-home \
                --disabled-password \
                --home /nonexistent \
                trojan
        chown trojan:trojan /etc/trojan/config.json
        chmod g=,o= /etc/trojan/config.json # since config.json contains a plain password
    fi
  ;;
esac

#DEBHELPER#

exit 0

Granting SSL certificate access to system user trojan should be handled by the end user (for example certbot should provide instructions on how to grant access to user trojan).

[0neday]

I tried the setup and just realized trojan requires access to port 443, so it has to be ~root~ a system user (nobody wouldn't work).

Change config.json owner to nobody, just like chown -R nobody:nobody /usr/local/etc/trojan If you wonder why put mysql.service in first row, just delete it.

[XuuKoo]

证书问题的话，一般来说nginx是可以访问证书的，那把trojan以nginx的账户运行是不是就可以了呢

[lss4]

Just checked that with certbot, for some reasons the private keys (which Trojan needs) have only 600 permission so the user nobody cannot access it, only root can. Other files (such as full chain) have 644 permissions so nobody can access them.

So what is the right way to use the nobody user for trojan with a certbot generated certificate?

Also, it seems with the nobody user you also get this warning. Special user nobody configured, this is not safe!

So there are pros and cons in each way.