Overview
Sometimes it is required to run Resilio Agent under a highly restricted user account for security purposes. Please follow the instructions below depending on target OS:
Steps:
Note, that all commands for command prompt below require admin privileges.
You can use standard “Local System” account, although as soon as you grant explicit permissions to Agent to access to some particular folder, all other services running as “Local System” will get this access, too. Therefore it is preferable to create a separate user to maximize isolation.
1. Create a new User called “Resilio Connect Guest”, a new Group called “Resilio Connect Guests”.
Add “Resilio Connect Guest” user to the “Resilio Connect Guests” and to the “Guests” groups.
2. Open the Security Policy editor, and assign the following Policy items to the “Resilio Connect Guests” group:
- Back up files and directories
- Restore files and directories
- Log on as a service
3. Allow the “Resilio Connect Guests” Group full control over the Resilio settings folder (typically \ProgramData\Resilio). Deny the “Resilio Connect Guests” Group from accessing the C: drive (and any other sensitive drive)
4 . Allow the “Resilio Connect Guests” Group (or the ResilioConnectGuest User) to access folders where it is allowed to store data
5. The Resilio Agent Service should be configured to run with the ResilioConnectGuest user credentials
Steps:
Install package on a Linux (manually or via package manager), copy agent's config to /etc/resilio-agent directory and start the service.
sudo dpkg -i <resilio>.deb
sudo mv sync.conf /etc/resilio-agent/sync.conf
sudo systemctl enable/start
It’ll automatically start and set itself to autorun as isolated “rslagent” user. Use POSIX permissions and groups to allow Agent access to folders other than /home/rslagent
Steps:
- Install Agent normally (i.e. unpack the DMG to Applications). Ensure it is not in launch items for your current user account.
- Get the sync.conf file from your Management Console and add
"use_gui": false,
line there - Download this shell script which is intended to install Agent under separate "resilioagent" account and launch it as daemon, ensure that script has execute permissions:
chmod +x deploy_agent.sh
- Run the script, supplying config file as parameter
./deploy_agent.sh sync.conf
If you need to stop the agent, killing it through Activity Monitor won't take effect. To stop/start agent process use next commands:
sudo launchctl unload -w /Library/LaunchDaemons/com.resilio.agent.plist
sudo launchctl load -w /Library/LaunchDaemons/com.resilio.agent.plist
From now on, Resilio Agent will start with OS X and will not require user to get logged in. It only has limited access to folder, allowed for “resilioagent” user. You can use both POSIX.1 permissions and OS X ACLs to provide access to the user (and to the Agent as a result) to other folders and resources. The Agent itself will deliver files available for reading and writing to everyone due to UMASK = 002. You can see all the parameters (password, umask, etc.) of newly created user inside the script.