Bug#1018163: coturn: only works if run as root

thoralf thoralf.schulze at weizenbaum-institut.de
Fri Aug 26 11:29:26 BST 2022 

Package: coturn
Version: 4.5.2-3
Severity: important

hi there -

i am using coturn to allow nat traversal for matrix users. the configuration follows the recommendations given here: https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md and boils down to:

listening-ip=<server-ip>
use-auth-secret
static-auth-secret=<some-secret>
realm=<some-realm>
syslog
verbose
no-tcp-relay
# don't let the relay ever try to connect to private IP address ranges within your network (if any)
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
# recommended additional local peers to block, to mitigate external access to internal services.
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
[…]
denied-peer-ip=240.0.0.0-255.255.255.255
# special case the turn server itself so that client->TURN->TURN->client flows work
# this should be one of the turn server's listening IPs
allowed-peer-ip=<server-ip>
# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
total-quota=1200

… so nothing fancy, and none of these options should require root permissions. However, with this config coturn only does its thing if it runs as root - either by starting it explicitly as "/usr/bin/turnserver -c /etc/turnserver.conf" or by creating a systemd override:

[Service]
User=
User=root
Group=
Group=root

As an added benefit, logging actually starts to work :)

thank you very much for your work & with kind regards,
thoralf.

-- System Information:
Debian Release: 11.4
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-17-amd64 (SMP w/8 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages coturn depends on:
ii  adduser                  3.118
ii  init-system-helpers      1.60
ii  libc6                    2.31-13+deb11u3
ii  libevent-core-2.1-7      2.1.12-stable-1
ii  libevent-extra-2.1-7     2.1.12-stable-1
ii  libevent-openssl-2.1-7   2.1.12-stable-1
ii  libevent-pthreads-2.1-7  2.1.12-stable-1
ii  libhiredis0.14           0.14.1-1
ii  libmariadb3              1:10.5.15-0+deb11u1
ii  libpq5                   13.7-0+deb11u1
ii  libsqlite3-0             3.34.1-3
ii  libssl1.1                1.1.1n-0+deb11u3
ii  libsystemd0              247.3-7
ii  lsb-base                 11.1.0
ii  sqlite3                  3.34.1-3
ii  telnet [telnet-client]   0.17-42

coturn recommends no packages.

Versions of packages coturn suggests:
pn  sip-router   <none>
pn  xmpp-server  <none>

-- Configuration Files:
/etc/turnserver.conf [Errno 13] Permission denied: '/etc/turnserver.conf'

-- no debconf information

More information about the Pkg-voip-maintainers mailing list