I have a server running Debian 12 that does not have root access enabled as recommended by many. I do have an another user admin privileged account on the server.

I have a program that does not come with a service bundled with it.

I have created user unprivileged on the server that has limited access to the filesystem and no sudo.

I have an application that unprivileged owns I would like to run as unprivileged at startup.

I have for now manually logged in as admin and ran screen and then sudo su unprivileged to first change user and then inside the screen ran ./program and after Ctrl+A-D to detach from the screen to leave it running in the background.

I doubt if it is safe to run applications this way as it seems like a way for a potential attacker to escape to the more privileged shell. It does concern me as it does seem like a hack.

How can I setup my system so I can run ./program at startup as my low privileged unprivileged in the background? Are there any other "obvious" setup I should be aware of in this situation?

crontab

Only if you need to interact with the program similarly than you do now, this solution could work for you. You could put the program & the screen in the crontab of the user unprivileged, e.g.,

1. Run sudo su -c 'crontab -e' unprivileged

2. Add a line:

   @reboot sleep 60 && /usr/bin/screen -d -m /home/unprivileged/program
   

   Where,

   • @reboot runs the command at the boot
   • sleep 60 && adds a delay of 60 seconds before running the program
   • /usr/bin/screen puths the program inside a screen terminal multiplexer
   • -d -m starts the screen in detached mode (useful for system startup scripts)
   • /home/unprivileged/program is the path for the actual program

This way both the screen & the ./program are run as the user, and you can interact with the program by.

$ sudo su - unprivileged
$ screen -r

SystemD service

If the program can be run in the background without user interaction, this is the best option. The program will run as a service. The stdout & stderr will be sent to the SystemD journal.

1. Place a unit file to /etc/systemd/system/unprivileged-program.service, e.g.,

   [Unit]
   Description=Service for running program as user unpriviged
   
   [Service]
   Type=simple
   User=unprivileged
   WorkingDirectory=/home/unprivileged
   ExecStart=/home/unprivileged/program
   Restart=always
   
   [Install]
   WantedBy=multi-user.target
   

2. Reload the service files: sudo systemctl daemon-reload

3. Start your new service: sudo systemctl start unprivileged-program.service

4. Check the program is running correctly, e.g., with

   • sudo systemctl status unprivileged-program.service
   • sudo journalctl -u unprivileged-program

5. Enable the service to be started on every boot:
   sudo systemctl enable unprivileged-program.service