You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I brought up in the matrix chat a long time ago that I could help transition the systemd unit to use the user= and group= keys. (I'm finally able to work on it.)
As I understand, best practice with systemd units is that we set those to "authelia", as by default the service would otherwise run as user and group "root". It isn't necessarily a vulnerability, but more of another layer in sandboxing (though don't quote me, I'm not an expert).
Use Case
For anyone running Authelia as a systemd service, the process(?) would run as user and group "authelia" instead of "root", increasing sandboxing.
steps to complete
I've got a working example on my machine, though it may not be perfect (as I said before, I'm not an expert).
What I see needing completed:
add user=authelia and group=authelia to the systemd config (example can be seen in issue Run Authelia with systemd #568)
add two files: authelia.tmpfiles.conf and authelia.sysusers.conf, placing them at /usr/lib/sysusers.d/authelia.conf and /usr/lib/tmpfiles.d/authelia.conf, respectively (at least for Arch Linux--I've got a functioning sample PKGBUILD)
add to the redis documentation that if using this systemd unit, the authelia user needs to be added to the redis group (I suspect this may have been one of the problems the original poster in Run Authelia with systemd #568 was having, if they were using redis)
any other changes to be compatible with the debian, docker, and any other builds (I'm unfamiliar with these)
If this looks correct, I can create a WIP pull request from my fork, and testing and other alterations as needed can begin.
Let me know. Thanks!
The text was updated successfully, but these errors were encountered:
Feature Request
Description
I brought up in the matrix chat a long time ago that I could help transition the systemd unit to use the
user=
andgroup=
keys. (I'm finally able to work on it.)As I understand, best practice with systemd units is that we set those to "authelia", as by default the service would otherwise run as user and group "root". It isn't necessarily a vulnerability, but more of another layer in sandboxing (though don't quote me, I'm not an expert).
Use Case
For anyone running Authelia as a systemd service, the process(?) would run as user and group "authelia" instead of "root", increasing sandboxing.
steps to complete
I've got a working example on my machine, though it may not be perfect (as I said before, I'm not an expert).
What I see needing completed:
user=authelia
andgroup=authelia
to the systemd config (example can be seen in issue Run Authelia with systemd #568)authelia.tmpfiles.conf
andauthelia.sysusers.conf
, placing them at/usr/lib/sysusers.d/authelia.conf
and/usr/lib/tmpfiles.d/authelia.conf
, respectively (at least for Arch Linux--I've got a functioning sample PKGBUILD)authelia
user needs to be added to theredis
group (I suspect this may have been one of the problems the original poster in Run Authelia with systemd #568 was having, if they were using redis)If this looks correct, I can create a WIP pull request from my fork, and testing and other alterations as needed can begin.
Let me know. Thanks!
The text was updated successfully, but these errors were encountered: