User=nobody is discouraged by systemd as inherently unsafe #428
Description
Please answer all the questions with enough information. All issues not following this template will be closed immediately.
If you are not sure if your question is truely a bug in V2Ray, please discuss it here first.
- What version of V2Ray are you using (If you deploy different version on server and client, please explicitly point out)?
OS: Arch Linux
$ pacman -Q systemd v2ray
systemd 246.6-1
v2ray 4.32.1
- What's your scenario of using V2Ray? E.g., Watching YouTube videos in Chrome via Socks/VMess proxy.
General testing.
- What did you see? (Please describe in detail, such as timeout, fake TLS certificate etc)
Starting the systemd service throws a warning, stating that User=nobody is unsafe.
- What's your expectation?
Running the systemd service as reasonably safe and secure as possible.
- Please attach your configuration file (Mask IP addresses before submit this issue).
Server configuration:
{
"inbounds": [
{
"port": 10086, // Server Listening Port
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "b831381d-6324-4d53-ad4f-8cda48b30811"
}
]
}
}
],
"outbounds": [
{
"protocol": "freedom"
}
]
}Client configuration:
{
"inbounds": [
{
"port": 1080, // SOCKS Proxy Port. Configure the browser proxy to use this port.
"listen": "127.0.0.1",
"protocol": "socks",
"settings": {
"udp": true
}
}
],
"outbounds": [
{
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "server", // Server address: Change to your server hostname or ip address.
"port": 10086, // Server Listening Port
"users": [
{
"id": "b831381d-6324-4d53-ad4f-8cda48b30811"
}
]
}
]
}
},
{
"protocol": "freedom",
"tag": "direct"
}
],
"routing": {
"domainStrategy": "IPOnDemand",
"rules": [
{
"type": "field",
"ip": [
"geoip:private"
],
"outboundTag": "direct"
}
]
}
}- Please attach error logs, especially the bottom lines if the file is large. Error log file is usually at
/var/log/v2ray/error.logon Linux.
Server error log:
N/AClient error log:
N/A- Please attach access log. Access log is usually at '/var/log/v2ray/access.log' on Linux.
N/A-
Other configurations (such as Nginx) and logs.
-
If V2Ray doesn't run, please attach output from
--test.
The command is usually /usr/bin/v2ray/v2ray --test --config /etc/v2ray/config.json, but may vary according to your scenario.
- If V2Ray service doesn't run, please attach journal log.
Usual command is journalctl -u v2ray.
Please review your issue before submitting.
Systemd recently started to discourage the use of User=nobody. I have succesfully used a dynamic user configuration in the v2ray.service unit (see below), but that might not be the best way to deal with this. Lots of OS'es have an older systemd version and it's hard to determine/maintain when all the needed systemd options are supported. IMHO it would be easier to create a dedicated unprivileged user (e.g. v2ray) via systemd-sysusers.
[Unit]
Description=V2Ray Service
Documentation=https://www.v2fly.org/
After=network.target nss-lookup.target
[Service]
#User=nobody
DynamicUser=true
CacheDirectory=v2ray
LogsDirectory=v2ray
RuntimeDirectory=v2ray
StateDirectory=v2ray
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
NoNewPrivileges=true
ExecStart=/usr/bin/v2ray -config /etc/v2ray/config.json
Restart=on-failure
RestartPreventExitStatus=23
[Install]
WantedBy=multi-user.target