Issue: Services Running as Root User
Severity: High
Type: Security - Privilege Escalation
Description
All services (Xvfb, VNC server, websockify, cloudflared) are started without privilege separation or dropping to a less privileged user. The script runs with root permissions.
# install.sh lines 288-310
Xvfb :99 -screen 0 1920x1080x24 &
vncserver :99 &
websockify --web=/usr/share/novnc 6080 localhost:5901 &
Impact
- If any of these services are compromised through a vulnerability, the attacker gains root access
- Violates principle of least privilege
- Any service vulnerability = complete system compromise
- No isolation between services
Suggested Fix
- Create a dedicated user account for VNC services
- Use sudo for necessary operations only
- Drop privileges after binding to required ports
- Implement AppArmor/SELinux profiles for each service
- Run services in containers with limited capabilities
Files Affected
install.sh (lines 288-310)
Issue: Services Running as Root User
Severity: High
Type: Security - Privilege Escalation
Description
All services (Xvfb, VNC server, websockify, cloudflared) are started without privilege separation or dropping to a less privileged user. The script runs with root permissions.
Impact
Suggested Fix
Files Affected
install.sh(lines 288-310)