By default, our installers deploy both Unimus and Unimus Core to run as the "root" user on Linux. While this (running services on Linux as "root") is not the best practice for security, Unimus must run as "root", otherwise parts of the application will not work. This is because on Linux, to create a raw-type socket, you must be "root". Unimus, as a networking product, requires sending ICMP (ping) messages to the network, which on Linux require a raw socket, which in turn means Unimus must run as "root".
If you are OK with parts of the application not working (the parts that require sending ICMP packets), you can run Unimus under a non-root account.
- when running as non-root, Network Scan will not work
- when running as non-root, Device Ping in Device CLI Console will not work
As running under a non-root account will cause parts of the application to not work properly, we do not recommend running Unimus this way.
How to run as non-root
This guide can be used both for Unimus and / or Unimus Core. For Core, please substitute "unimus" for "unimus-core" where require.
1) run our Installer to deploy Unimus (or Unimus Core) as normal for the initial deploy
2) complete the Deploy Wizard and make sure Unimus properly functions
3) stop the Unimus service
systemctl stop unimus
4) create a new user and fix access to required directories
# create user SERVICE_USER="unimus-service" adduser $SERVICE_USER --system --no-create-home --shell "/bin/false" # assign directory permissions chown -R $SERVICE_USER /opt/unimus chown -R $SERVICE_USER /etc/unimus chown -R $SERVICE_USER /var/log/unimus chown $SERVICE_USER /etc/default/unimus
5) update the systemd unit file ("/etc/systemd/system/unimus.service") to run as the non-root user
The unit file will already be created and contain some configuration. Do not change it in any other way other than add the below line to the specified section:
# /etc/systemd/system/unimus.service [Unit] # ... other config here # ... [Service] # ... other config here # ... User=unimus-service [Install] # ... other config here # ...
6) restart Unimus and validate everything works
systemctl start unimus
How to perform upgrades for non-root deploys
Normally, our installer would over-write your systemd unit file with the latest official version, which would remove your user declaration. To avoid this, you need to run the installer with the "-m" (minimal upgrade) flag. Using this flag will make the installer to only update the application binary ("/opt/unimus/Unimus.jar") and not the other application files.
./install-unimus.sh -m