DietPi-Software | MineOS: Run everything as unprivileged user

[MichaIng]

Currently, as intended by the MineOS developers, the web interface runs as root user. One can login as any UNIX user to install and run individual Minecraft servers.

A more consequent approach that fits more to the DietPi-like single person setup, would be to run the web interface as mineos user and limit web UI logins to this service user as well. The question is whether this is even possible with the UNIX user authentication mechanism used.

In the past we had a mineos user only for web UI logins. But it has limited permissions as of file ownership, hence root user still needs to be used for many tasks, and when using it once to install a Minecraft server, mineos cannot control it anymore. For a single person system this is a little inconvenient and for larger multi-purpose systems it is still an issue that the parent/UI service still runs as roots and allows any unprivileged UNIX user to login, create and run Minecraft servers, and that for administration tasks, the UNIX root user strictly requires a login password, while for system admin tasks SSH key authentication and sudo are common ways to avoid this.

Topic came up here: MichaIng/DietPi-Docs#529 (comment)

[MichaIng]

As long as MineOS makes us of UNIX user authentication, instead of an own/internal user management, running it as non-root user is not possible. It can start, when generating SSL certs within its own dir with proper permission, but as fast as one tries to login:

Nov 08 22:24:25 VM-Bookworm MineOS[4450]: Uncaught Exception: Error: EACCES: permission denied, open '/etc/shadow'
Nov 08 22:24:25 VM-Bookworm MineOS[4450]: Error: EACCES: permission denied, open '/etc/shadow'
Nov 08 22:24:25 VM-Bookworm MineOS[4450]: About to exit with code 1
Nov 08 22:24:25 VM-Bookworm systemd[1]: mineos.service: Main process exited, code=exited, status=1/FAILURE
Nov 08 22:24:25 VM-Bookworm systemd[1]: mineos.service: Failed with result 'exit-code'.
Nov 08 22:24:25 VM-Bookworm systemd[1]: mineos.service: Consumed 2.468s CPU time.

/etc/shadow contains the password hashes, and reasonably is accessible by root user only. I'll try again to at least login with mineos user, and see/verify the limited permissions one has with it.

[MichaIng]

Ahh, there is one way via proot: https://wiki.codeemo.com/install/rootless.html
But that for now, trying with mineos for login only. Weirdly, I cannot get the Minecraft server to start, for now ...
EDIT: Works, but Minecraft 1.21 requires Java 21, while Bookworm ships with Java 17 only.

[MichaIng]

PR up to create again a non-root login user. Seems to work all well: #7276