diff --git a/nix/package.nix b/nix/package.nix
index 64ec315f..8c01ad24 100644
--- a/nix/package.nix
+++ b/nix/package.nix
@@ -35,6 +35,7 @@
webkitgtk_4_1
openssl
libayatana-appindicator
+ desktop-file-utils
];
nativeBuildInputs = with pkgs; [
diff --git a/resources-linux/defguard-service.service b/resources-linux/defguard-service.service
index bce9f07b..cdfb3dc7 100644
--- a/resources-linux/defguard-service.service
+++ b/resources-linux/defguard-service.service
@@ -5,6 +5,7 @@ Wants=network-online.target
After=network-online.target
[Service]
+Group=defguard
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/sbin/defguard-service
KillMode=process
diff --git a/resources-linux/postinst b/resources-linux/postinst
index fabecdca..00c814e9 100644
--- a/resources-linux/postinst
+++ b/resources-linux/postinst
@@ -1,3 +1,70 @@
-systemctl daemon-reload
-systemctl enable defguard-service
-systemctl start defguard-service
+#!/bin/sh
+set -e
+
+GROUP_NAME="defguard"
+SERVICE_NAME="defguard-service"
+
+case "$1" in
+ configure)
+ # Create the group if it doesn't exist
+ if ! getent group "$GROUP_NAME" >/dev/null; then
+ addgroup --system "$GROUP_NAME"
+ echo "Created group $GROUP_NAME"
+ fi
+
+ # Determine target user
+ TARGET_USER=""
+ if [ -n "$SUDO_USER" ] && [ "$SUDO_USER" != "root" ]; then
+ TARGET_USER="$SUDO_USER"
+ elif [ -n "$USER" ] && [ "$USER" != "root" ]; then
+ TARGET_USER="$USER"
+ fi
+
+ # Add user to group if we found a valid target
+ if [ -n "$TARGET_USER" ]; then
+ if getent passwd "$TARGET_USER" >/dev/null; then
+ # Try to add user to group and check if it succeeded
+ if usermod -a -G "$GROUP_NAME" "$TARGET_USER"; then
+ echo "Added user $TARGET_USER to group $GROUP_NAME"
+
+ # Only show reboot message if user was actually added
+ echo "================================================"
+ echo " IMPORTANT: Reboot or Re-login Required"
+ echo "================================================"
+ echo "The user has been added to the defguard group."
+ echo "Please reboot or log out and back in for the"
+ echo "group membership changes to take effect."
+ echo "================================================"
+ else
+ echo "Warning: Failed to add user $TARGET_USER to group $GROUP_NAME"
+ exit 1
+ fi
+ fi
+ fi
+
+ # Handle systemd service
+ if [ -d /run/systemd/system ]; then
+ # Reload systemd to recognize new service file
+ systemctl daemon-reload
+
+ # Enable service to start on boot
+ systemctl enable "$SERVICE_NAME"
+
+ # Start the service now
+ systemctl start "$SERVICE_NAME"
+ fi
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+ # On failed operations, ensure service is running if it should be
+ if [ -d /run/systemd/system ]; then
+ systemctl daemon-reload
+ if systemctl is-enabled "$SERVICE_NAME" >/dev/null 2>&1; then
+ systemctl start "$SERVICE_NAME" || true
+ fi
+ fi
+ ;;
+esac
+
+#DEBHELPER#
+
diff --git a/resources-linux/postrm b/resources-linux/postrm
index 9b76642f..6fb17532 100644
--- a/resources-linux/postrm
+++ b/resources-linux/postrm
@@ -1 +1,24 @@
-systemctl daemon-reload
+#!/bin/sh
+set -e
+
+GROUP_NAME="defguard"
+SERVICE_NAME="defguard-service"
+
+case "$1" in
+ remove)
+ # Service file still exists, just disable it
+ if [ -d /run/systemd/system ]; then
+ systemctl disable "$SERVICE_NAME" || true
+ systemctl daemon-reload
+ fi
+ ;;
+
+ purge)
+ # Complete removal - clean up group too
+ if getent group "$GROUP_NAME" >/dev/null; then
+ delgroup "$GROUP_NAME" || true
+ fi
+ ;;
+esac
+
+#DEBHELPER#
diff --git a/resources-linux/prerm b/resources-linux/prerm
index aaf1ae3c..3c602373 100644
--- a/resources-linux/prerm
+++ b/resources-linux/prerm
@@ -1,2 +1,15 @@
-systemctl stop defguard-service
-systemctl disable defguard-service
+#!/bin/sh
+set -e
+
+SERVICE_NAME="defguard-service"
+
+case "$1" in
+ remove|upgrade|deconfigure)
+ if [ -d /run/systemd/system ]; then
+ # Stop the service before removal/upgrade
+ systemctl stop "$SERVICE_NAME" || true
+ fi
+ ;;
+esac
+
+#DEBHELPER#
diff --git a/src-tauri/Cargo.lock b/src-tauri/Cargo.lock
index f3041a9f..3c867eec 100644
--- a/src-tauri/Cargo.lock
+++ b/src-tauri/Cargo.lock
@@ -1246,6 +1246,7 @@ dependencies = [
"dirs-next",
"hyper-util",
"log",
+ "nix",
"prost",
"regex",
"reqwest",
diff --git a/src-tauri/Cargo.toml b/src-tauri/Cargo.toml
index cfce992a..c9b985ed 100644
--- a/src-tauri/Cargo.toml
+++ b/src-tauri/Cargo.toml
@@ -102,6 +102,7 @@ semver = "1.0.26"
tokio-stream = "0.1"
tower = "0.5"
hyper-util = "0.1"
+nix = { version = "0.30.1", features = ["user", "fs"] }
[target.'cfg(windows)'.dependencies]
winapi = { version = "0.3", features = ["winsvc", "winerror"] }
diff --git a/src-tauri/resources-macos/resources/net.defguard.plist b/src-tauri/resources-macos/resources/net.defguard.plist
index 696d5cd5..479b9737 100644
--- a/src-tauri/resources-macos/resources/net.defguard.plist
+++ b/src-tauri/resources-macos/resources/net.defguard.plist
@@ -16,5 +16,7 @@ http://www.apple.com/DTDs/PropertyList-1.0.dtd >
RunAtLoad
+ GroupName
+ staff
diff --git a/src-tauri/src/service/mod.rs b/src-tauri/src/service/mod.rs
index 371a3e39..c571b5af 100644
--- a/src-tauri/src/service/mod.rs
+++ b/src-tauri/src/service/mod.rs
@@ -15,6 +15,8 @@ use std::{
str::FromStr,
time::{Duration, SystemTime, UNIX_EPOCH},
};
+#[cfg(unix)]
+use std::{fs, os::unix::fs::PermissionsExt, path::Path};
#[cfg(not(target_os = "macos"))]
use defguard_wireguard_rs::Kernel;
@@ -27,12 +29,12 @@ use defguard_wireguard_rs::{
net::IpAddrMask,
InterfaceConfiguration, WGApi, WireguardInterfaceApi,
};
+#[cfg(unix)]
+use nix::unistd::{chown, Group};
use proto::{
desktop_daemon_service_server::{DesktopDaemonService, DesktopDaemonServiceServer},
CreateInterfaceRequest, InterfaceData, ReadInterfaceDataRequest, RemoveInterfaceRequest,
};
-#[cfg(unix)]
-use std::{fs, os::unix::fs::PermissionsExt, path::Path};
use thiserror::Error;
#[cfg(unix)]
use tokio::net::UnixListener;
@@ -48,6 +50,7 @@ use tracing::{debug, error, info, info_span, Instrument};
use self::config::Config;
use super::VERSION;
+use crate::error::Error;
#[cfg(windows)]
const DAEMON_HTTP_PORT: u16 = 54127;
@@ -57,6 +60,12 @@ pub(super) const DAEMON_BASE_URL: &str = "http://localhost:54127";
#[cfg(unix)]
pub(super) const DAEMON_SOCKET_PATH: &str = "/var/run/defguard.socket";
+#[cfg(target_os = "macos")]
+pub(super) const DAEMON_SOCKET_GROUP: &str = "staff";
+
+#[cfg(target_os = "linux")]
+pub(super) const DAEMON_SOCKET_GROUP: &str = "defguard";
+
#[derive(Error, Debug)]
pub enum DaemonError {
#[error(transparent)]
@@ -349,9 +358,19 @@ pub async fn run_server(config: Config) -> anyhow::Result<()> {
let uds = UnixListener::bind(DAEMON_SOCKET_PATH)?;
+ // change owner group for socket file
+ // get the group ID by name
+ let group = Group::from_name(DAEMON_SOCKET_GROUP)?.ok_or_else(|| {
+ error!("Group '{}' not found", DAEMON_SOCKET_GROUP);
+ Error::InternalError(format!("Group '{}' not found", DAEMON_SOCKET_GROUP))
+ })?;
+
+ // change ownership - keep current user, change group
+ chown(DAEMON_SOCKET_PATH, None, Some(group.gid))?;
+
// Set socket permissions to allow client access
- // 0o666 allows read/write for owner, group, and others
- fs::set_permissions(DAEMON_SOCKET_PATH, fs::Permissions::from_mode(0o666))?;
+ // 0o660 allows read/write for owner and group only
+ fs::set_permissions(DAEMON_SOCKET_PATH, fs::Permissions::from_mode(0o660))?;
let uds_stream = UnixListenerStream::new(uds);
diff --git a/src-tauri/tauri.conf.json b/src-tauri/tauri.conf.json
index 89d9a114..6ab63153 100644
--- a/src-tauri/tauri.conf.json
+++ b/src-tauri/tauri.conf.json
@@ -35,7 +35,6 @@
]
}
},
- "longDescription": "Defguard desktop client.",
"macOS": {
"entitlements": null,
"exceptionDomain": "",
@@ -46,7 +45,8 @@
"resources": [
"resources/icons/*"
],
- "shortDescription": "",
+ "shortDescription": "Defguard desktop client",
+ "longDescription": "Defguard desktop client",
"linux": {
"deb": {
"files": {
@@ -107,4 +107,4 @@
}
}
}
-}
+}
\ No newline at end of file
diff --git a/src-tauri/tauri.linux.conf.json b/src-tauri/tauri.linux.conf.json
new file mode 100644
index 00000000..1ceacbf7
--- /dev/null
+++ b/src-tauri/tauri.linux.conf.json
@@ -0,0 +1,5 @@
+{
+ "bundle": {
+ "longDescription": "IMPORTANT: Reboot or Re-login Required\nOn initial install the user is added to the defguard group.\nA reboot or logging out and back in is required for group membership changes to take effect.\nThis is not required on subsequent updates."
+ }
+}
\ No newline at end of file