Cloudflared service runs as root 🐛

[darius-m]

Describe the bug
The cloudflared service install creates a service file that runs the cloudflared process as root. Unless some privileged operation is required (e.g. raw sockets), the service should run as a non-privileged user, such as cloudflared. Even with trusted processes, bugs that allow privilege escalation can appear.

To Reproduce
Steps to reproduce the behavior:

1. Run cloudflared service install;
2. A service file that starts the cloudflared process as root is created;
3. The cloudflare tunnel token is also visible in the service file (also reported by Unsecured cloudflared service tunnel secret storage on Windows #666).

Expected behavior
The cloudflare service runs as a non-privileged user, such as cloudflared. Additional restrictions, such as SELinux policies (e.g., similar to nginx), should also improve security.

Environment and versions

• OS: Centos Stream 8
• Architecture: AMD64 (should not be architecture-dependent)
• Version: 2022.6.2

Additional context
The issue may be resolved by adding User=cloudflared to the Service section of the configuration file. The user would have to be created, likely as a system user.

[joliveirinha]

Thanks for bringing this to our attention.

However, it is not clear to us at the moment if we want to make this change in the systemd unit file taking into consideration the features that we want to allow in the future, which would require root permissions. At least at the start of the process, and then we could downgrade.

That said, you can still do this change manually to the systemd unit if that fits your use-case of cloudflared.