From b137b3df85ac967ca4f4daf3642994e4143b90b6 Mon Sep 17 00:00:00 2001
From: Jacquin Antoine <antoine@arkel.fr>
Date: Sun, 1 Mar 2026 00:14:23 +0100
Subject: [PATCH] fix(packaging): run service as root for packet capture

- Change systemd service to run as root instead of ja4sentinel user
- Remove user/group creation from RPM spec (%pre script)
- Update %post to set root:root ownership on directories
- Adjust security hardening for root execution (ProtectSystem=strict)
- Add ReadWritePaths for writable directories

Fixes: systemd error 'Failed at step USER spawning /usr/bin/ja4sentinel: No such process'

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
---
 packaging/rpm/ja4sentinel.spec        | 17 ++++++-----------
 packaging/systemd/ja4sentinel.service | 13 ++++++-------
 2 files changed, 12 insertions(+), 18 deletions(-)

diff --git a/packaging/rpm/ja4sentinel.spec b/packaging/rpm/ja4sentinel.spec
index 32887dd..7e3544f 100644
--- a/packaging/rpm/ja4sentinel.spec
+++ b/packaging/rpm/ja4sentinel.spec
@@ -53,19 +53,15 @@ install -m 640 %{_sourcedir}/config.yml %{buildroot}/etc/ja4sentinel/config.yml.
 install -m 640 %{_sourcedir}/config.yml %{buildroot}/usr/share/ja4sentinel/config.yml
 
 %pre
-# Create system user and group (compatible with CentOS 7+)
-getent group ja4sentinel >/dev/null || groupadd -r ja4sentinel
-getent passwd ja4sentinel >/dev/null || \
-    useradd -r -g ja4sentinel -d /var/lib/ja4sentinel -s /sbin/nologin \
-    -c "JA4Sentinel Service User" ja4sentinel
+# No user creation needed - service runs as root for packet capture
 exit 0
 
 %post
-# Set proper ownership
-chown -R ja4sentinel:ja4sentinel /var/lib/ja4sentinel 2>/dev/null || true
-chown -R ja4sentinel:ja4sentinel /var/run/ja4sentinel 2>/dev/null || true
-chown -R ja4sentinel:ja4sentinel /var/log/ja4sentinel 2>/dev/null || true
-chown -R ja4sentinel:ja4sentinel /etc/ja4sentinel 2>/dev/null || true
+# Set proper ownership (root:root for packet capture)
+chown -R root:root /var/lib/ja4sentinel 2>/dev/null || true
+chown -R root:root /var/run/ja4sentinel 2>/dev/null || true
+chown -R root:root /var/log/ja4sentinel 2>/dev/null || true
+chown -R root:root /etc/ja4sentinel 2>/dev/null || true
 
 # Set proper permissions
 chmod 750 /var/lib/ja4sentinel 2>/dev/null || true
@@ -75,7 +71,6 @@ chmod 750 /etc/ja4sentinel 2>/dev/null || true
 # Install config if not exists
 if [ ! -f /etc/ja4sentinel/config.yml ]; then
     cp /usr/share/ja4sentinel/config.yml /etc/ja4sentinel/config.yml
-    chown ja4sentinel:ja4sentinel /etc/ja4sentinel/config.yml 2>/dev/null || true
     chmod 640 /etc/ja4sentinel/config.yml
 fi
 
diff --git a/packaging/systemd/ja4sentinel.service b/packaging/systemd/ja4sentinel.service
index 5f5d0e6..1c24447 100644
--- a/packaging/systemd/ja4sentinel.service
+++ b/packaging/systemd/ja4sentinel.service
@@ -6,17 +6,16 @@ Wants=network-online.target
 
 [Service]
 Type=simple
-User=ja4sentinel
-Group=ja4sentinel
+User=root
+Group=root
 WorkingDirectory=/var/lib/ja4sentinel
 ExecStart=/usr/bin/ja4sentinel --config /etc/ja4sentinel/config.yml
 Restart=on-failure
 RestartSec=5
 Environment=JA4SENTINEL_LOG_LEVEL=info
 
-# Security hardening
-NoNewPrivileges=yes
-ProtectSystem=full
+# Security hardening (compatible with root for packet capture)
+ProtectSystem=strict
 ProtectHome=yes
 PrivateTmp=yes
 ProtectKernelTunables=yes
@@ -24,10 +23,10 @@ ProtectKernelModules=yes
 ProtectControlGroups=yes
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
-MemoryDenyWriteExecute=yes
 LockPersonality=yes
+ReadWritePaths=/var/lib/ja4sentinel /var/log/ja4sentinel
 
-# Capabilities for packet capture
+# Capabilities for packet capture (inherited by root)
 AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
 CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN