Help Center

Running Agent under restricted user account


Sometimes it is required to run Resilio Agent under highly restricted user account for security purposes. Please follow the instructions below depending on target OS:

Windows

Please note, that all commands for command prompt below require admin privileges.

Also note, that you can use standard “Local Service” account, although as soon as you grant explicit permissions to Agent to access to some particular folder, all other services running as “Local Service” will get this access, too. Therefore it is preferable to create a separate user to maximize isolation.

  • If you already installed Agent, open Services Console (Win+R, services.msc) and stop the “Resilio Connect Agent” service. Open an admin command prompt, navigate to “C:\Program Files\Resilio Connect Agent” and run command

    "Resilio Connect Agent.exe" /SVCDELETE

    If Agent is not yet installed, create “C:\Program Files\Resilio Connect Agent” path manually and put the executable there. Ensure that it’s name is “Resilio Connect Agent.exe” even for x64 bit agent. Put the sync.conf file you get from MC in the same folder.
  • Create user “<user_name>” with standard set of user permissions
    Use command
    net user <username> <password> /ADD
    or do it manually from Control Panel
  • Grant new user permissions to upgrade itself (i.e. write permissions to “C:\Program Files\Resilio Connect Agent” folder)
  • Start the service with
    net start connectsvc
    command or via Services console.


By default, Agent will only have write access to it’s home folder (C:\Users\<user_name>). You can add access to any other required folders explicitly.

Linux

Use packages to get package installed on Linux. Once installed, start Agent using
sudo systemctl enable/start
command and it’ll automatically starts or sets itself to autorun under isolated “rslagent” user. Use POSIX permissions and groups to allow Agent access to folders other than /home/rslagent

OS X

  • Install Agent normally. Ensure it is not in launch items for your current user account.
  • Create a resilioagent user in your Mac's System Preferences. Ensure it has password.
  • Switch to resilioagent user
  • Create the folder "~/Library/Application Support/Resilio Connect Agent". Create the config file "sync.conf" there, get the content from your MC. When creating config file, use some plain text editor. Don't use TextEdit, Pages or alike as they tend to create it in RTF and rend config unusable.
  • Switch back to your admin user. Now create the launchd configuration file "/Library/LaunchDaemons/com.resilio.agent.plist". You'll need root permissions to do it. Again, use plain text editor only. Put the next content inside:

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "–//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>Label</key>
    <string>com.resilio.agent</string>
    <key>ProgramArguments</key>
    <array>
    <string>/Applications/Resilio Connect Agent.app/Contents/MacOS/Resilio Connect Agent</string>
    <string>--config</string>
    <string>/Users/resilioagent/Library/Application Support/Resilio Connect Agent/sync.conf</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>KeepAlive</key>
    <true/>
    <key>UserName</key>
    <string>resilioagent</string>
    <key>Umask</key>
    <integer>2</integer>
    </dict>
    </plist>

  • Open terminal window and start Sync with sudo launchctl load -w /Library/LaunchDaemons/com.resilio.agent command

From now on, Sync will start with OS X and does not require user to get logged in. It only has limited access to folder, allowed for “resilioagent” user. You can use both POSIX.1 permissions and OS X ACLs to provide access to the user (and to the Agent as a result) to other folders and resources. The Agent itself will deliver files available for reading and writing to everyone due to UMASK = 002.

Was the article helpful? Yes / No, send feedback on article Thanks!


Please note that we won't mail you back. This is just purely feedback on the article above. If you need help from our Support Team, please use the "Contact Support" link at the top of the page.