Skip to content

Running the xrdp process as non root

Jump to bottom Edit New page
matt335672 edited this page Sep 1, 2025 · 5 revisions

Scope

This information applies versions of xrdp v0.10.1. and later. For information on earlier versions, see the this previous page version

Description

A default build and install of xrdp will run the xrdp-sesman(8) and xrdp(8) daemons as root. xrdp-sesman needs to run as root, as it is responsible for user session management. However, it is possible for the xrdp process to be run as a non-privileged user.

Debian have packaged the xrdp daemon to run without privilege for a long time now. This is done by making source-level changes. The purpose of the PR above is to allow any distribution (or user building xrdp privately) to run xrdp without privilege. This is HIGHLY recommended.

For compatibility, running the xrdp daemon without privilege is not yet enforced. It may be enforced in the future.

Alternative approaches

For xrdp v0.10.5 and later, it is also possible to run xrdp as a non-privileged user from the service manager (e.g. systemd or OpenRC). This removes all privileges from the xrdp daemon, but imposes the following additional restrictions:-

  1. The service manager will need to make arrangements for the xrdp log file (normally /var/log/xrdp.log) to be writeable by the non-privileged user. options include setting the ownership of the log file, moving the log file, or replacing it entirely with syslog logging.
  2. It will no longer be possible for xrdp to listen on special socket types (e.g. the WSL vsock type), or to set some socket options on startup.

Preparation

The procedure requires a suitable non-privileged user and group. The group should contain only the non-privileged user. Debian uses a user called xrdp and a group called xrdp for this. We will refer to the user and the group below as xrdp and xrdp, as the expectation is that other distros will follow Debian's lead. xrdp:xrdp is a notation for <non-privileged user>:<non-privileged group> together.

Procedure

  1. Add the non-privileged user and group to the system.

  2. Make these changes to the [Globals] section in /etc/xrdp/xrdp.ini:-

    runtime_user=xrdp
runtime_group=xrdp

  3. Make this change to the [Globals] section in /etc/xrdp/sesman.ini:-

    SessionSockdirGroup=xrdp

  4. Ensure the following file permissions are set:-

    File Required ownership Required permissions
    /etc/xrdp/rsakeys.ini root:xrdp 640
    TLS certificate file varies Read-only for xrdp:xrdp
    TLS private key file varies Read-only for xrdp:xrdp

Testing

A script xrdp-chkpriv is installed along with xrdp. this will normally be in /usr/share/xrdp/, or /usr/local/share/xrdp depending on how xrdp is installed on your system.

Run the script with privilege to check the procedure above has been correctly followed. An example successful run from FreeBSD looks like this:-

$ sudo /usr/local/share/xrdp/xrdp-chkpriv 
Settings
 - [xrdp.ini]   runtime_user        : xrdp
 - [xrdp.ini]   runtime_group       : xrdp
 - [xrdp.ini]   certificate         : /etc/xrdp/cert.pem
 - [xrdp.ini]   key_file            : /etc/xrdp/key.pem
 - [sesman.ini] SessionSockdirGroup : xrdp

-Info- runtime_user 'xrdp' appears to exist
-Info- runtime_group 'xrdp' appears to exist
-Info- xrdp.ini and sesman.ini agree on group ownership
-Info- /etc/xrdp/rsakeys.ini has correct permissions
-Info- /etc/xrdp/cert.pem is read-only for xrdp:xrdp
-Info- /etc/xrdp/key.pem is read-only for xrdp:xrdp

-Summary- Permissions appear to be correct to run xrdp unprivileged
Add a custom footer
Add a custom sidebar
Clone this wiki locally