Help Center

Running Agent under restricted user account

Sometimes it is required to run Resilio Agent under a highly restricted user account for security purposes. Please follow the instructions below depending on target OS:

Note, that all commands for command prompt below require admin privileges.

You can use standard “Local Service” account, although as soon as you grant explicit permissions to Agent to access to some particular folder, all other services running as “Local Service” will get this access, too. Therefore it is preferable to create a separate user to maximize isolation.

  • If you already installed Agent, open Services Console (Win+R, services.msc) and stop “Resilio Connect Agent” service. Open admin command prompt, navigate to “C:\Program Files\Resilio Connect Agent” and run command
    "Resilio Connect Agent.exe" /SVCDELETE

    If Agent is not yet installed, create “C:\Program Files\Resilio Connect Agent” path manually and put the executable there. Ensure that its name is “Resilio Connect Agent.exe” even for x64 bit agent. Put the sync.conf file you got from MC in the same folder.

  • Create user “<user_name>” with standard set of user permissions
    Use command
    net user <username> <password> /ADD
    or do it manually from Control Panel

  • Grant new user permissions to upgrade itself (i.e. write permissions to “C:\Program Files\Resilio Connect Agent” folder)

  • Setup Resilio Connect Agent service to run under this user:
    Resilio Connect Agent.exe /svcinstall -u %username% %password% -c "\"/config\" \"C:\Program Files\Resilio Connect Agent\sync.conf\"" -a
  • Start the service with
    net start connectsvc
    command or via Services console.

By default, Agent will only have write access to its home folder (C:\Users\<user_name>). You can add access to any other required folders explicitly.

Install package on a Linux (manually or via package manager), copy agent's config to /etc/resilio-agent directory and start the service 

sudo dpkg -i <resilio>.deb
sudo mv sync.conf /etc/resilio-agent/sync.conf
sudo systemctl enable/start

It’ll automatically start and set itself to autorun as isolated “rslagent” user. Use POSIX permissions and groups to allow Agent access to folders other than /home/rslagent

  • Install Agent normally (i.e. unpack the DMG to Applications). Ensure it is not in launch items for your current user account.
  • Get the sync.conf file from your Management Console and add "use_gui": false, line there
  • Download this shell script which is intended to install Agent under separate "resilioagent" account and launch it as daemon, ensure that script has execute permissions:
    chmod +x
  • Run the script, supplying config file as parameter
    ./ sync.conf

If you need to stop the agent, killing it through Activity Monitor won't take effect. To stop/start agent process use next commands:

sudo launchctl unload -w /Library/LaunchDaemons/com.resilio.agent.plist

sudo launchctl load -w /Library/LaunchDaemons/com.resilio.agent.plist

From now on, Sync will start with OS X and will not require user to get logged in. It only has limited access to folder, allowed for “resilioagent” user. You can use both POSIX.1 permissions and OS X ACLs to provide access to the user (and to the Agent as a result) to other folders and resources. The Agent itself will deliver files available for reading and writing to everyone due to UMASK = 002. You can see all the parameters (password, umask, etc.) of newly created user inside the script.

Was the article helpful? Yes / No, send feedback on article Thanks!

Please note that we won't mail you back. This is just purely feedback on the article above. If you need help from our Support Team, please use the "Contact Support" link at the top of the page.