usbguard hardening #460
Description
To be clear, this is not a bug report, more of logic check or a feature-request.
I've been using usbguard (manually built from git) for quite some time, both on Arch Linux and Ubuntu LTS machines. In an attempt to harden my systemd services as tight as possible I noticed usbguard-daemon runs as root and the usbguard.service uses a PIDFile. Both are not optimal IMO (I am aware of the -C switch though).
Recently systemd began stressing that PID files should be avoided in modern projects, advising to use Type=notify or Type=simple to avoid needless forking. Running usbgard without the PIDFile=/run/usbguard.pid and as Type=simple seems to work just fine when using Execstart=/usr/bin/usbguard-daemon -s -c /etc/usbguard/usbguard-daemon.conf (so dropping -f). What is the rationale behind using Type=forking currently?
Trying to run usbguard-daemon as a unprivileged, non-root user seems impossible with the current code base. systemd's DynamicUser concept or the more traditional /usr/lib/sysusers.d/foo.conf mechanism both fail due to what I think are the in-built permissions/ownership checks on dirs/files under /etc/usbguard. I sure don't want to use the -P switch to drop these checks, but I've tried and even then the service goes into failure mode. Is there a known, documented way of running usbguard-daemon as unprivileged user (e.g. usbguard)? If not, is such a feature planned or does it make no sense to even consider such a scenario?