msg from xrdp after pkg upgrade "should not run xrdp as root"

Firstly, Happy 2025 to all!

Secondly :)
FreeBSD 14.1-RELEASE-p5 GENERIC
pkg upgrade
msg from xrdp after pkg upgrade - "should not run xrdp as root"
I don't remember seeing that warning after initial installation of xrdp :-/
Who shoud run xrdp and xrdp-sesman system procs?
 
the most recent xrdp.ini suggests
runtime_user=xrdp
runtime_group=xrdp

I manually added

xrdp:*:1002:1002:xrdp daemon:/nonexistent:/usr/sbin/nologin
Password : <disabled>

don't forget
sesman.ini:
SessionSockdirGroup=xrdp

-rw-r--r-- 1 root wheel 1793 Dec 10 19:20 cert.pem
-rw-r----- 1 root xrdp 3272 Dec 10 19:20 key.pem
-rw-r--r-- 1 root wheel 2939 Dec 10 19:20 rsakeys.ini
 
Well, I did exactly as the steps in your post, but I'm still getting warning message when boot system, "You are running xrdp as root. This is not safe".
 
Ok, I will test adding xrdp unprevileged user and group to port and if all ok, I'll open a PR so meta@ could take a look.
 
Hum... Of course, sesman is running. All was working perfectly before the upgrade.

That's what I did: created user xrdp and modify /usr/local/xrdp/xrdp.ini.
Code:
runtime_user=xrdp
runtime_group=xrdp
 
the most recent xrdp.ini suggests
runtime_user=xrdp
runtime_group=xrdp

I manually added

xrdp:*:1002:1002:xrdp daemon:/nonexistent:/usr/sbin/nologin
Password : <disabled>

don't forget
sesman.ini:
SessionSockdirGroup=xrdp

-rw-r--r-- 1 root wheel 1793 Dec 10 19:20 cert.pem
-rw-r----- 1 root xrdp 3272 Dec 10 19:20 key.pem
-rw-r--r-- 1 root wheel 2939 Dec 10 19:20 rsakeys.ini
Looking at ports UIDs and GIDs:

Code:
% grep xrdp UIDs
_xrdp:*:648:648::0:0:xrdp daemon:/nonexistent:/usr/sbin/nologin
% grep xrdp GIDs
_xrdp:*:648:

Does any one know why user and grp using "_"?
EDIT: think it means nothing. Some ports uses it like, e.g., _symon in sysutils/symon

I got it running addind to port:
1.

Code:
USERS= _xrdp
GROUPS= _xrdp

2.
Add the above config changes in xrdp.ini:
Code:
runtime_user=_xrdp
runtime_group=_xrdp
and
and sesman.ini:
Code:
SessionSockdirGroup=_xrdp
3.
Code:
chown _xrdp:_xrdp /usr/local/etc/{cert.pem,key.pem,rsakeys.ini}
Code:
% ps waux |grep xrdp
_xrdp      64452   0.0  0.1 26484 11180 v0  I    21:29     0:00.01 /usr/local/sbin/xrdp
root       64494   0.0  0.1 19720  8276 v0  I    21:29     0:00.01 /usr/local/sbin/xrdp-sesman
nunotex    64542   0.0  0.0 13048  2516  0  S+   21:38     0:00.00 grep xrdp

EDIT2:
Comparing with debian. Might be usefull.

Code:
nunotex@debian:~$ ps waux |grep xrdp
root         726  0.0  0.0  11532  4560 ?        Ss   Aug24   0:00 /usr/sbin/xrdp-sesman --nodaemon
root        1267  0.0  0.0  12312  6776 ?        Ss   Aug24   0:00 /usr/sbin/xrdp --nodaemon
root       36946  0.7  0.2 101136 20796 ?        Sl   21:41   0:01 /usr/sbin/xrdp --nodaemon
root       36948  0.0  0.1  16848  8184 ?        S    21:41   0:00 xrdp-sesexec
nunotex    36990  5.0  1.0 283712 86448 ?        Sl   21:41   0:07 /usr/lib/xorg/Xorg :10 -auth .Xauthority -config xrdp/xorg.conf -noreset -nolisten tcp -logfile .xorgxrdp.%s.log
nunotex    37020  0.0  0.0  92260  6344 ?        Sl   21:41   0:00 /usr/sbin/xrdp-chansrv
nunotex    37873  0.0  0.0   6604  2272 pts/0    S+   21:44   0:00 grep xrdp
 
Nice that I've found some official documentation on how to run it as non-root. It also gives me the right ownership and permissions of cert.pem,key.pem,rsakeys.ini :)
 
port uses a pkg-install.in script that acts on pkg stage. I simply can't change it to do chown and chmod there.
post-install and post-stage don't make sense to use since the files don't exist yet at that point.

Tommorow I'll open an PR and see if meta@ spots it.
Any help is welcome :)
 
Back
Top