Can't start session when Teleport node runs as non-root

Hi,

I’ve got a Teleport cluster setup with the Teleport service set to run as a non-root user called teleport on each machine.

The service runs normally for the auth and proxy machines, however, on the node machine, if I were to run the Teleport service as the teleport user above, I would get fork/exec /bin/bash: Operation not permitted whenever I open a session. Running the Teleport service as root solves this issue.

My Teleport node machine’s systemd service file:

[Unit]
Description=Teleport SSH service
After=network.target

[Service]
Type=simple
Restart=on-failure
User=teleport
Group=teleport
ExecStart=/usr/local/bin/teleport start --roles=node --config=/etc/teleport.yml --pid-file=/var/lib/teleport/teleport.pid
ExecReload=/bin/kill -HUP $MAINPID
PIDFile=/var/lib/teleport/teleport.pid

[Install]
WantedBy=multi-user.target

Any help and/or pointers are appreciated – thanks!

Hi - this is intended behaviour, as Teleport might need to be able to start a shell as any given user (including root) on the host. I believe that sshd has the same requirement for the exact same reason.

You might potentially be able to work around this by getting systemd to grant some capabilities to the Teleport node process, like CAP_SETUID and CAP_SETGID - I’m afraid I can’t give a list of all the capabilities that Teleport would require, however, as this isn’t a supported mode of operation. The official stance is that Teleport’s node process must be run as root.

Duly noted and thanks for the insight on capabilities!