fix(packaging): run service as root for packet capture

- Change systemd service to run as root instead of ja4sentinel user
- Remove user/group creation from RPM spec (%pre script)
- Update %post to set root:root ownership on directories
- Adjust security hardening for root execution (ProtectSystem=strict)
- Add ReadWritePaths for writable directories

Fixes: systemd error 'Failed at step USER spawning /usr/bin/ja4sentinel: No such process'

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>

packaging/rpm/ja4sentinel.spec

@@ -53,19 +53,15 @@ install -m 640 %{_sourcedir}/config.yml %{buildroot}/etc/ja4sentinel/config.yml.
 install -m 640 %{_sourcedir}/config.yml %{buildroot}/usr/share/ja4sentinel/config.yml
 
 %pre
-# Create system user and group (compatible with CentOS 7+)
+# No user creation needed - service runs as root for packet capture
-getent group ja4sentinel >/dev/null || groupadd -r ja4sentinel
-getent passwd ja4sentinel >/dev/null || \
-    useradd -r -g ja4sentinel -d /var/lib/ja4sentinel -s /sbin/nologin \
-    -c "JA4Sentinel Service User" ja4sentinel
 exit 0
 
 %post
-# Set proper ownership
+# Set proper ownership (root:root for packet capture)
-chown -R ja4sentinel:ja4sentinel /var/lib/ja4sentinel 2>/dev/null || true
+chown -R root:root /var/lib/ja4sentinel 2>/dev/null || true
-chown -R ja4sentinel:ja4sentinel /var/run/ja4sentinel 2>/dev/null || true
+chown -R root:root /var/run/ja4sentinel 2>/dev/null || true
-chown -R ja4sentinel:ja4sentinel /var/log/ja4sentinel 2>/dev/null || true
+chown -R root:root /var/log/ja4sentinel 2>/dev/null || true
-chown -R ja4sentinel:ja4sentinel /etc/ja4sentinel 2>/dev/null || true
+chown -R root:root /etc/ja4sentinel 2>/dev/null || true
 
 # Set proper permissions
 chmod 750 /var/lib/ja4sentinel 2>/dev/null || true
@@ -75,7 +71,6 @@ chmod 750 /etc/ja4sentinel 2>/dev/null || true
 # Install config if not exists
 if [ ! -f /etc/ja4sentinel/config.yml ]; then
     cp /usr/share/ja4sentinel/config.yml /etc/ja4sentinel/config.yml
-    chown ja4sentinel:ja4sentinel /etc/ja4sentinel/config.yml 2>/dev/null || true
     chmod 640 /etc/ja4sentinel/config.yml
 fi
 

packaging/systemd/ja4sentinel.service

@@ -6,17 +6,16 @@ Wants=network-online.target
 
 [Service]
 Type=simple
-User=ja4sentinel
+User=root
-Group=ja4sentinel
+Group=root
 WorkingDirectory=/var/lib/ja4sentinel
 ExecStart=/usr/bin/ja4sentinel --config /etc/ja4sentinel/config.yml
 Restart=on-failure
 RestartSec=5
 Environment=JA4SENTINEL_LOG_LEVEL=info
 
-# Security hardening
+# Security hardening (compatible with root for packet capture)
-NoNewPrivileges=yes
+ProtectSystem=strict
-ProtectSystem=full
 ProtectHome=yes
 PrivateTmp=yes
 ProtectKernelTunables=yes
@@ -24,10 +23,10 @@ ProtectKernelModules=yes
 ProtectControlGroups=yes
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
-MemoryDenyWriteExecute=yes
 LockPersonality=yes
+ReadWritePaths=/var/lib/ja4sentinel /var/log/ja4sentinel
 
-# Capabilities for packet capture
+# Capabilities for packet capture (inherited by root)
 AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
 CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN