This document explains how to securely configure ActiveDebianSync by running it under a dedicated Unix user.
By default, ActiveDebianSync can run as root, but doing so introduces unnecessary security risks.
It is strongly recommended to configure the daemon to run under a dedicated, restricted system user with minimal privileges.
# Create the user (no shell, no accessible home directory)
sudo useradd -r -s /bin/false -d /var/lib/ActiveDebianSync -c "ActiveDebianSync Daemon" debian-sync
# Create required directories
sudo mkdir -p /var/lib/ActiveDebianSync/mirror
sudo mkdir -p /var/log/ActiveDebianSync
sudo mkdir -p /etc/ActiveDebianSync
# Set permissions
sudo chown -R debian-sync:debian-sync /var/lib/ActiveDebianSync
sudo chown -R debian-sync:debian-sync /var/log/ActiveDebianSync
Update the configuration file
Edit /etc/ActiveDebianSync/config.json and add:
{
"run_as_user": "debian-sync",
"run_as_group": "debian-sync",
...
}
The dedicated user must have:
/etc/ActiveDebianSync/config.json/etc/ActiveDebianSync/server.crt (if HTTPS)/etc/ActiveDebianSync/server.key (if HTTPS)/var/lib/ActiveDebianSync/mirror//var/log/ActiveDebianSync/sync.log/var/log/ActiveDebianSync/access.log/var/run/activedebiansync.pid (or alternative PID path)CAP_NET_BIND_SERVICE{
"http_port": 8080,
"https_port": 8443 }
sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/activedebiansync
The systemd service must start as root so the daemon can drop privileges internally:
[Service] Type=simple User=root ExecStart=/usr/local/bin/activedebiansync -config /etc/ActiveDebianSync/config.json
Do NOT set User= to debian-sync here because ActiveDebianSync handles its own user switching.