Avoid running AdGuardHome as Root

[Belphemur]

Problem Description

Currently, AdGuardHome is always running as root, which for a program that deal with network call is less than ideal.

Proposed Solution

It can be achieved with changing the systemd configuration to give the right capabilities to bind on the default ports (like 53,80,443).

Alternatives Considered

Running AdGuardHome in a docker to reduce the possible impact in case of security issue.

Additional Information

Don't think you'll never have security issue, it always happens especially with the number of libraries used by the project that deal with the network.

[ihipop]

• AdGuardHome is not always running as root , It's you that run AdGuardHome as root
• Relative issue Do not require root for the first startup #1699 CanAutoUpdate should not decide by util.HaveAdminRights #2231

[ainar-g]

I agree that always running the whole program under root is icky, but that's the best we can do currently. On our wiki we have a page that describes how one can run AdGuardHome without superuser privileges (or systemd for that matter) on Linux. Some people on Linux also use our Snap packages for that.

[Belphemur]

@ihipop The default install script and even the first run require root. I know I can override the systemd service file, and do a chown on the folder but then the autoupdater will fail as you pointed out in your own issue.

I have other application like syncthing (also a go app) that has no problem running with its user, have its config file generated at first run & autoupdate without ever needing root.

@ainar-g You could implement a system where the app could drop root after it has initialized (if you really need to have root to start). Nginx does that by example.
You have code example for go like:
https://gist.github.com/jsimonetti/e31dced5875903d65677e66e103168cf
https://stackoverflow.com/questions/41248866/golang-dropping-privileges-v1-7

[ihipop]

@ihipop The default install script and even the first run require root. I know I can override the systemd service file, and do a chown on the folder but then the autoupdater will fail as you pointed out in your own issue.

The the first run does not require root ,see Relative issue #1699 b43223d

@ainar-g You could implement a system where the app could drop root after it has initialized (if you really need to have root to start). Nginx does that by example.

Nginx will create worker process as none root user, The master process is always run as root and also need root permission to start and listen under the configuration in conventional ways.
To start Nginx as none root also need the special configuration of administrator ,just like ADG.

[ameshkov]

There's a simple instruction on how to run AGH without root:
https://github.com/AdguardTeam/AdGuardHome/wiki/Getting-Started#running-without-superuser

[Belphemur]

@ihipop True enough about Nginx, but the workers are the one handling the request while the master is the one spawning/managing the workers. This mean there isn't any network request handled by a process running as root.

@ameshkov For now it's not a solution until the autoupdate can run without root as said by @ihipop in #2231

After #2231 is fixed, I think this should be reopen to redo the installation script to not require root and set correctly a AdGuard user to run everything.

ps: Btw, don't get me wrong, AdGuard is amazing and light years ahead of PiHole. Easy to setup, provide so much feature and can handle more than 2M daily request. I'm very happy with it.