Running the xrdp process as non root - neutrinolabs/xrdp GitHub Wiki

Scope

This information applies versions of xrdp v0.10.1. and later. For information on earlier versions, see the this previous page version

Description

A default build and install of xrdp will run the xrdp-sesman(8) and xrdp(8) daemons as root. xrdp-sesman needs to run as root, as it is responsible for user session management. However, it is possible for the xrdp process to be run as a non-privileged user.

Debian have packaged the xrdp daemon to run without privilege for a long time now. This is done by making source-level changes. The purpose of the PR above is to allow any distribution (or user building xrdp privately) to run xrdp without privilege. This is HIGHLY recommended.

For compatibility, running the xrdp daemon without privilege is not yet enforced. It may be enforced in the future.

Preparation

The procedure requires a suitable non-privileged user and group. The group should contain only the non-privileged user. Debian uses a user called xrdp and a group called xrdp for this. We will refer to the user and the group below as xrdp and xrdp, as the expectation is that other distros will follow Debian's lead. xrdp:xrdp is a notation for <non-privileged user>:<non-privileged group> together.

Procedure

Add the non-privileged user and group to the system.
Make these changes to the [Globals] section in /etc/xrdp/xrdp.ini:-
```
runtime_user=xrdp
runtime_group=xrdp
```
Make this change to the [Globals] section in /etc/xrdp/sesman.ini:-
```
SessionSockdirGroup=xrdp
```
Ensure the following file permissions are set:-

File Required ownership Required permissions

/etc/xrdp/rsakeys.ini root:xrdp 640

TLS certificate file varies Read-only for xrdp:xrdp

TLS private key file varies Read-only for xrdp:xrdp

File	Required ownership	Required permissions
/etc/xrdp/rsakeys.ini	`root:xrdp`	640
TLS certificate file	varies	Read-only for `xrdp:xrdp`
TLS private key file	varies	Read-only for `xrdp:xrdp`

Testing

A script xrdp-chkpriv is installed along with xrdp. this will normally be in /usr/share/xrdp/, or /usr/local/share/xrdp depending on how xrdp is installed on your system.

Run the script with privilege to check the procedure above has been correctly followed. An example successful run from FreeBSD looks like this:-

$ sudo /usr/local/share/xrdp/xrdp-chkpriv 
Settings
 - [xrdp.ini]   runtime_user        : xrdp
 - [xrdp.ini]   runtime_group       : xrdp
 - [xrdp.ini]   certificate         : /etc/xrdp/cert.pem
 - [xrdp.ini]   key_file            : /etc/xrdp/key.pem
 - [sesman.ini] SessionSockdirGroup : xrdp

-Info- runtime_user 'xrdp' appears to exist
-Info- runtime_group 'xrdp' appears to exist
-Info- xrdp.ini and sesman.ini agree on group ownership
-Info- /etc/xrdp/rsakeys.ini has correct permissions
-Info- /etc/xrdp/cert.pem is read-only for xrdp:xrdp
-Info- /etc/xrdp/key.pem is read-only for xrdp:xrdp

-Summary- Permissions appear to be correct to run xrdp unprivileged