Skip to content

Running Agent under restricted user account

Overview

Sometimes it is required to run Resilio Agent under a highly restricted user account for security purposes. Please follow the instructions below depending on target OS:

Not supported for Windows Agents in a domain. Such Agents will encounter problem decrypting their settings after restart.

Steps:

Note, that all commands for command prompt below require admin privileges.

You can use standard “Local System” account, although as soon as you grant explicit permissions to Agent to access to some particular folder, all other services running as “Local System” will get this access, too. Therefore it is preferable to create a separate user to maximize isolation.

  1. Create a new User called “Resilio Connect Guest”, a new Group called “Resilio Connect Guests”. Add “Resilio Connect Guest” user to the “Resilio Connect Guests” and to the “Guests” groups.
    1.png

  2. Open the Security Policy editor, and assign the following Policy items to the “Resilio Connect Guests” group:

    • Back up files and directories
    • Restore files and directories
    • Log on as a service
      image33.png

  3. Allow the “Resilio Connect Guests” Group full control over the Resilio settings folder (typically \ProgramData\Resilio). Deny the “Resilio Connect Guests” Group from accessing the C: drive (and any other sensitive drive)

    2.png 3.png

  4. Allow the “Resilio Connect Guests” Group (or the ResilioConnectGuest User) to access folders where it is allowed to store data.

    4.png

  5. The Resilio Agent Service should be configured to run with the ResilioConnectGuest user credentials.

    5.png

Steps:

  1. Install Resilio agent package manually or via package manager. 

     sudo dpkg -i <resilio>.deb

  2. Copy agent's configuration file to the /etc/resilio-agent directory. 

     sudo mv sync.conf /etc/resilio-agent/sync.conf

  3. Install FUSE. 

     sudo apt install libfuse2 fuse3

  4. Edit the /etc/fuse.conf file to allow non-root users to specify the allow_other or allow_root mount options.

     # The file /etc/fuse.conf allows for the following parameters:
 #
 # user_allow_other - Using the allow_other mount option works fine as root, in
 # order to have it work as user you need user_allow_other in /etc/fuse.conf as
 # well. (This option allows users to use the allow_other option.) You need
 # allow_other if you want users other than the owner to access a mounted fuse.
 # This option must appear on a line by itself. There is no value, just the
 # presence of the option.

 user_allow_other

 # mount_max = n - this option sets the maximum number of mounts.
 # Currently (2014) it must be typed exactly as shown
 # (with a single space before and after the equals sign).

 #mount_max = 1000

  5. Enable the agent service to start automatically, as isolated rslagent user 

     sudo systemctl enable/start resilio-agent

    and start the service.

     sudo systemctl enable/start resilio-agent

Note

Use POSIX permissions and groups, to allow the agent service to access folders other than /home/rslagent.

Steps:

  • Install Agent normally (i.e. unpack the DMG to Applications). Ensure it is not in launch items for your current user account.
  • Get the sync.conf file from your Management Console and add "use_gui": false, line there

  • Download this shell script which is intended to install Agent under separate "resilioagent" account and launch it as daemon, ensure that script has execute permissions:
    chmod +x deploy_agent.sh

  • Run the script, supplying config file as parameter
    ./deploy_agent.sh sync.conf

If you need to stop the agent, killing it through Activity Monitor won't take effect. To stop/start agent process use next commands:

sudo launchctl unload -w /Library/LaunchDaemons/com.resilio.agent.plist   
sudo launchctl load -w /Library/LaunchDaemons/com.resilio.agent.plist

From now on, Resilio Agent will start with OS X and will not require user to get logged in. It only has limited access to folder, allowed for “resilioagent” user. You can use both POSIX.1 permissions and OS X ACLs to provide access to the user (and to the Agent as a result) to other folders and resources. The Agent itself will deliver files available for reading and writing to everyone due to UMASK = 002. You can see all the parameters (password, umask, etc.) of newly created user inside the script.