fix(packaging): run service as root for packet capture
Some checks failed
Build RPM Package / Build RPM Packages (CentOS 7, Rocky 8/9/10) (push) Has been cancelled
Some checks failed
Build RPM Package / Build RPM Packages (CentOS 7, Rocky 8/9/10) (push) Has been cancelled
- Change systemd service to run as root instead of ja4sentinel user - Remove user/group creation from RPM spec (%pre script) - Update %post to set root:root ownership on directories - Adjust security hardening for root execution (ProtectSystem=strict) - Add ReadWritePaths for writable directories Fixes: systemd error 'Failed at step USER spawning /usr/bin/ja4sentinel: No such process' Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
This commit is contained in:
Jacquin Antoine
@ -53,19 +53,15 @@ install -m 640 %{_sourcedir}/config.yml %{buildroot}/etc/ja4sentinel/config.yml.
|
||||
install -m 640 %{_sourcedir}/config.yml %{buildroot}/usr/share/ja4sentinel/config.yml
|
||||
|
||||
%pre
|
||||
# Create system user and group (compatible with CentOS 7+)
|
||||
getent group ja4sentinel >/dev/null || groupadd -r ja4sentinel
|
||||
getent passwd ja4sentinel >/dev/null || \
|
||||
useradd -r -g ja4sentinel -d /var/lib/ja4sentinel -s /sbin/nologin \
|
||||
-c "JA4Sentinel Service User" ja4sentinel
|
||||
# No user creation needed - service runs as root for packet capture
|
||||
exit 0
|
||||
|
||||
%post
|
||||
# Set proper ownership
|
||||
chown -R ja4sentinel:ja4sentinel /var/lib/ja4sentinel 2>/dev/null || true
|
||||
chown -R ja4sentinel:ja4sentinel /var/run/ja4sentinel 2>/dev/null || true
|
||||
chown -R ja4sentinel:ja4sentinel /var/log/ja4sentinel 2>/dev/null || true
|
||||
chown -R ja4sentinel:ja4sentinel /etc/ja4sentinel 2>/dev/null || true
|
||||
# Set proper ownership (root:root for packet capture)
|
||||
chown -R root:root /var/lib/ja4sentinel 2>/dev/null || true
|
||||
chown -R root:root /var/run/ja4sentinel 2>/dev/null || true
|
||||
chown -R root:root /var/log/ja4sentinel 2>/dev/null || true
|
||||
chown -R root:root /etc/ja4sentinel 2>/dev/null || true
|
||||
|
||||
# Set proper permissions
|
||||
chmod 750 /var/lib/ja4sentinel 2>/dev/null || true
|
||||
@ -75,7 +71,6 @@ chmod 750 /etc/ja4sentinel 2>/dev/null || true
|
||||
# Install config if not exists
|
||||
if [ ! -f /etc/ja4sentinel/config.yml ]; then
|
||||
cp /usr/share/ja4sentinel/config.yml /etc/ja4sentinel/config.yml
|
||||
chown ja4sentinel:ja4sentinel /etc/ja4sentinel/config.yml 2>/dev/null || true
|
||||
chmod 640 /etc/ja4sentinel/config.yml
|
||||
fi
|
||||
|
||||
|
||||
@ -6,17 +6,16 @@ Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=ja4sentinel
|
||||
Group=ja4sentinel
|
||||
User=root
|
||||
Group=root
|
||||
WorkingDirectory=/var/lib/ja4sentinel
|
||||
ExecStart=/usr/bin/ja4sentinel --config /etc/ja4sentinel/config.yml
|
||||
Restart=on-failure
|
||||
RestartSec=5
|
||||
Environment=JA4SENTINEL_LOG_LEVEL=info
|
||||
|
||||
# Security hardening
|
||||
NoNewPrivileges=yes
|
||||
ProtectSystem=full
|
||||
# Security hardening (compatible with root for packet capture)
|
||||
ProtectSystem=strict
|
||||
ProtectHome=yes
|
||||
PrivateTmp=yes
|
||||
ProtectKernelTunables=yes
|
||||
@ -24,10 +23,10 @@ ProtectKernelModules=yes
|
||||
ProtectControlGroups=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictSUIDSGID=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
LockPersonality=yes
|
||||
ReadWritePaths=/var/lib/ja4sentinel /var/log/ja4sentinel
|
||||
|
||||
# Capabilities for packet capture
|
||||
# Capabilities for packet capture (inherited by root)
|
||||
AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
|
||||
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
|
||||
|
||||
|
||||
Reference in New Issue
Block a user