Skip to content

Write PIDFile inside /var/run/usbguard directory #498

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Write PIDFile inside /var/run/usbguard directory #498

wants to merge 1 commit into from

Conversation

juspence
Copy link

@juspence juspence commented Nov 20, 2021
edited
Loading

Related to #460, it is possible to run USBGuard as an unprivileged (non-root) user even with the -f option & Type=forking in the unit file. To get this to work, I had to:

  1. Add a new "usbguard" user and group using systemd-sysusers.
  2. Change ownership of "/etc/usbguard/" and "/var/log/usbguard/" to the "usbguard:usbguard" user and group. I may have changed other folders as well but I don't fully remember.
  3. Recompile USBGuard to write its PID file to the "/var/run/usbguard/" directory (which can be owned by "usbguard:usbguard") instead of "/var/run/" (which must be owned by root, so writing the PID file as an unprivileged user fails).
  4. Update the "PIDFile=/var/run/usbguard/usbguard.pid" option, and add the "User=usbguard", "Group=usbguard", and "SupplementaryGroups=" options to the unit file.

EDIT:
5) Add "CAP_DAC_OVERRIDE" to "AmbientCapabilities=" and "CapabilityBoundingSet=" in the unit file. This is needed so that USBGuard can actually write to the "authorized" properties of the different USB devices under /sys. I think this shouldn't be much of a security risk, since other hardening options in the unit file prevent arbitrary writes to the rest of the system.
6) Add "AmbientCapabilities=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE CAP_DAC_OVERRIDE" if you want to allow non-root users to manage USBGuard through the IPC interface.

And after testing, #3 is very obviously not necessary. USBGuard has the "-p" option to specify where the PID file is written to, no recompilation needed. That's what I get for looking at the source code before the man page...

It would be nice if the PID file was in its own folder by default, but it's not a major issue. Given that CAP_DAC_OVERRIDE is needed, I won't submit a PR to make running as a dedicated user the default. But for those who are interested, the above should be all that's needed to make it work.

hartwork
hartwork reviewed Jan 27, 2022
View reviewed changes
Copy link
Contributor

@hartwork hartwork left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@juspence does the USBGuard code create folder /var/run/usbguard anywhere if it's missing?

@juspence
Copy link
Author

@hartwork Technically it's Systemd that creates this directory, but it does happen automatically when needed. The line "RuntimeDirectory=usbguard" in the unit file means "create /var/run/usbguard before the service starts".

@hartwork
Copy link
Contributor

@juspence thanks for your reply. I think that means that all distros without systemd for an init system will have to extend their init script to create that directory on demand then.

@Cropi
Copy link
Member

Cropi commented Sep 8, 2022

Does the PID file get deleted when the daemon exits due to RuntimeDirectory=usbguard? I am not sure if we do such a cleanup right now, but that could be useful as well.

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@hartwork hartwork hartwork left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@juspence @hartwork @Cropi