Bug#1132570: xrdp: Insecure default configuration, the xrdp daemon runs as root

[Steven Robbins]

Hello,

Thanks for the security upgrade!

On Fri, 03 Apr 2026 15:05:51 +0700 Arnaud Rebillout  wrote:

> Upstream also provides the script /usr/share/xrdp/xrdp-chkpriv to print
> some diagnostic, currently the output is as such:
> 
> ```
> # /usr/share/xrdp/xrdp-chkpriv
> Settings
>  - [xrdp.ini]   runtime_user:
>  - [xrdp.ini]   runtime_group   :
>  - [xrdp.ini]   certificate : /etc/xrdp/cert.pem
>  - [xrdp.ini]   key_file: /etc/xrdp/key.pem
>  - [sesman.ini] SessionSockdirGroup :
> 
> [ WARN ] This system is not configured to run xrdp without privilege
> ```

After upgrade, the output was all OK except for: 
[  NG  ] /etc/xrdp/key.pem is not readable by xrdp:xrdp

The reason is that on my system key.pem is a symbolic link to /etc/ssl/
private/ssl-cert-snakeoil.key and the snakeoil file permissions are:
  -rw-r- 1 root ssl-cert 1704 Oct 14  2019 /etc/ssl/private/ssl-cert-
snakeoil.key

I fixed it by sudo adduser xrdp ssl-cert.

I'm unclear whether my system is a common setup or perhaps unique.  In the 
former case, I wonder if the xrdp install scripts could take care of this 
case?

Best,
-Steve






signature.asc
Description: This is a digitally signed message part.

Bug#1132570: xrdp: Insecure default configuration, the xrdp daemon runs as root

[Arnaud Rebillout]

Package: xrdp
Version: 0.10.5-4
Severity: normal
User: de...@kali.org
Usertags: origin-kali

Dear Maintainer,

out of the box, the xrdp daemon runs as root:

```
$ ps faux | grep xrdp
root 451  0.0  0.4  11524  4496 ?  Ss 01:26 0:00 /usr/sbin/xrdp-sesman 
--nodaemon
root 480  0.0  0.6  12312  6768 ?  Ss 01:26 0:00 /usr/sbin/xrdp --nodaemon
```

This is not recommended, upstream warns against it, and provides some
settings to avoid that, see this part from /etc/xrdp/xrdp.ini:

```
; Unprivileged User name and group to run the xrdp daemon.
; It is HIGHLY RECOMMENDED you set these values. See the xrdp.ini(5)
; manpage for more information on setting and checking these.
#runtime_user=xrdp
#runtime_group=xrdp
```

Upstream also provides the script /usr/share/xrdp/xrdp-chkpriv to print
some diagnostic, currently the output is as such:

```
# /usr/share/xrdp/xrdp-chkpriv
Settings
 - [xrdp.ini]   runtime_user:
 - [xrdp.ini]   runtime_group   :
 - [xrdp.ini]   certificate : /etc/xrdp/cert.pem
 - [xrdp.ini]   key_file: /etc/xrdp/key.pem
 - [sesman.ini] SessionSockdirGroup :

[ WARN ] This system is not configured to run xrdp without privilege
```

Now, for a bit of background.

Debian bookworm shipped with xrdp 0.9 series, and if you try it out,
you'll see that the xrdp daemon runs as the xrdp user. This was achieved
via some Debian-specific patches.

>From Debian trixie and onward, Debian shipped with xrdp 0.10 series, and
two things happened:
* most of the Debian patches were dropped
* upstream started to provide a mechanism so that the xrdp daemon can
  drop privileges (see the xrdp.ini extract aforementioned), however
  this was never enabled in the Debian package

Consequently, from trixie onward the xrdp daemon runs as root. I think
it's a significant regression in term of security. We must provide a
better setup out of the box for our users.

Please find a tentative merge request at:
https://salsa.debian.org/debian-remote-team/xrdp/-/merge_requests/13

With this MR, new xrdp installations will have the xrdp daemon run
unprivileged out-of-the-box.

For upgrades, users who modified their xrdp.ini file and decide to keep
their own versions will not benefit from this change. Maybe that would
warrant a NEWS entry to explain that the default config was insecure for
xrdp 0.10.x, and what steps should be done to fix that manually? Steps
are actually simple, there's just 3 settings to uncomment in xrdp.ini
and sesman.ini.

What do you think?

Cheers,

Arnaud