Hello World,
It has been some time since our last post. We have not much time to blog lately…too many projects and activities ongoing at the moment. So, we thought it might be time to publish something new on our blog.
Today, we will quickly explain how to run xrdp daemon without root privilege in order to improve security of the xrdp software solution. This functionality exists in Debian for some time now and the xrdp team has introduced support for this starting with version 0.10.1. and later. This feature is not yet enforced ensuring backward compatibility but this might change as this feature really brings better security.
Overview
With recent version of xrdp package, if you check the xrdp status from command line (sudo systemctl status xrdp), you might end up with this scary red message stating that you are using root account to run the xrdp process and this is not safe
Click on Picture for better Resolution
This is expected behavior.
By default, when you build and install xrdp software package, the daemon process will be running under root account. However, to improve security, it is possible to change this behavior and have the xrdp and xrdp-sesman daemons running under a non-privilege account. Debian xrdp package has introduced this change already for quite some time and it was a logical step to introduce this functionality in xrdp sources package.
This post will explains how to run xrdp daemons process as non-privilege user account.
!! Important !!
This information applies versions of xrdp v0.10.1. and later. If you are using a previous package version, this guide does not apply. So, check that you have the proper version of xrdp isntalled on your system before proceeding…
We have found all needed information to configure this on the xrdp Github wiki pages at https://github.com/neutrinolabs/xrdp/wiki/Running-the-xrdp-process-as-non-root
Step by Step Instructions
Let’s try to implement this change in our Ubuntu 24.04 and Ubuntu 25.04 system.
Step 1 – Check that the xrdp package is installed and that the version you are running is 0.10.1 or later…
From a command line, run the following command
xrdp -v
and check that version is 0.10.1 or higher. If this is the case, proceed to the next section
Step 2 – Add non-privileged user and group to your system.
From a command line, run the following command
sudo adduser --system --group --no-create-home --disabled-password --disabled-login --home /run/xrdp xrdp
Using this command, you’re creating a system user named xrdp
with specific restrictions for security. Here’s what each option in your command does:
--system
→ Creates a system account, typically used for daemons or services.--group
→ Creates a matching group for the user.--no-create-home
→ Prevents the creation of a home directory.--disabled-password
→ Disables password-based authentication for the user.--disabled-login
→ Prevents direct login for the user.--home /run/xrdp
→ Sets the home directory to/run/xrdp
.
This setup ensures that xrdp
can run as a service without interactive login capabilities, improving security.
Step 3 – Update the /etc/xrdp/xrdp.ini file
You will need to open the file /etc/xrdp/xrdp.ini with admin rights and modify some settings in it. You will need to locate in the section [ Globals] the following lines
#runtime_user=xrdp #runtime_group=xrdp
You will need to uncomment these lines and they should look like
runtime_user=xrdp runtime_group=xrdp
Save the file and move to next section
Step 4 – Update the /etc/xrdp/sesman.ini file
You will need to open the file /etc/xrdp/sesman.ini with admin rights and modify some settings in it. You will need to locate in the section [ Globals] the following line
#SessionSockdirGroup=xrdp
You will need to uncomment this line and they should look like
SessionSockdirGroup=xrdp
Save the file and move to next section
Step 5 – Change permissions on a number of files
The documentation specify to change permissions on the following files.
File | Required ownership | Required permissions |
---|---|---|
/etc/xrdp/rsakeys.ini | root:xrdp |
640 |
TLS certificate file | varies | Read-only for xrdp:xrdp |
TLS private key file | varies | Read-only for xrdp:xrdp |
#Set Correct Permissions for the following files
sudo chmod 640 /etc/xrdp/rsakeys.ini
sudo chown root:xrdp /etc/xrdp/rsakeys.ini
#To grant read-only access to xrdp user
sudo setfacl -m u:xrdp:r /etc/xrdp/cert.pem
sudo setfacl -m u:xrdp:r /etc/xrdp/key.pem
Note :
We have been running the xrdp process with non-privilege user account without changing permissions on the TLS files and seems to work fine. However, we want to follow the documentation and ensure that permissions on these files are set accordingly
Step 6 – Check your configuration
To check that your configuration is ready, the xrdp team is providing a script called xrdp-chkpriv under /usr/share/xrdp or under /usr/local/share/xrdp folder. From a terminal console, issue the following command (on Ubuntu 24.04 and Ubuntu 25.05, folder is /usr/local/share/xrdp)
sudo /usr/local/share/xrdp/X-xrdp-chkpriv
If all ok, you should see the following output
Click on Picture for better Resolution
if you need to take some actions, you will get an output like the following
Click on Picture for better Resolution
Now, if you check the status of your xrdp daemon (using systemctl status xrp), you should not see anymore the warning message about unsafe running under root account. The output shows no warning message as shown in the picture below
Click on Picture for better Resolution
Final Notes
This is it for this post !
This post has shown how to configure xrdp daemons to use non-privilege user account and provide better security on system running xrdp package. Debian distribution is providing such functionality for some time now and it sound logical that xrdp team wanted to include this in their implementation. As mentioned, this is not yet enforced and the user has to perform the configuration after installing the xrdp package.
We might integrate this feature in the next release of the xrdp-installer script as an additional option. Users willing to increase security on their system could use xrdp-installer script to perform this configuration…It might take some time before we integrate this….
Till next time
See ya
Reference https://github.com/neutrinolabs/xrdp/wiki/Running-the-xrdp-process-as-non-root