Skip to content

frp: Align service scripts to template file's config path#61399

Open
MC26Paradox wants to merge 2 commits into
void-linux:masterfrom
MC26Paradox:frp-service-conf-fix
Open

frp: Align service scripts to template file's config path#61399
MC26Paradox wants to merge 2 commits into
void-linux:masterfrom
MC26Paradox:frp-service-conf-fix

Conversation

@MC26Paradox

Copy link
Copy Markdown

#55858 is a previous PR with the same change, but the PR owner closed it, and the package's maintainer, @Anachron, mentioned intent to apply this fix.
(Apologies to said maintainer for the ping, intended as a gentle reminder as they stated not getting a notification in the last PR.)

The package template is untouched, this PR simply has the service files use the same config files as the template refers to.

Original config file location is deprecated as well, besides not being installed by the template already.

Testing the changes

  • I tested the changes in this PR: briefly
    • local Void install on aarch64-musl works (hardware: a Raspberry Pi 4), as in:
      "I changed my local service file by hand and this quick fix works on a fresh package install"
    • (xbps-src is missing in the static download of xbps, so I can't rebuild the package elsewhere, but the template's unchanged anyway!)

@MC26Paradox

Copy link
Copy Markdown
Author

This PR only has the config location fix, the below is not touched at all, just adding onto the discussion from the linked (closed) PR.

Anecdotally, the mentioned PR's suggestion of running as nobody:nogroup works fine here for non-HTTPS (see end of comment), ex.
exec chpst -u nobody:nogroup -- /usr/bin/frps -c /etc/frp/frps.toml
exec chpst -u nobody:nogroup -- /usr/bin/frpc -c /etc/frp/frpc.toml
as the main run command.

In particular, I've tried with both frps and frpc on the same machine, with non-root ports (>1000), and both a test HTTP service (ex. python3 -m http.server 1111 in a safe dir), and frpc's HTTP management panel, which uses basic HTTP login auth.

Minimal example config for recreating that, from frp's docs:
/etc/frp/frps.toml

bindPort = 7000

/etc/frp/frpc.toml

serverAddr = "127.0.0.1"
serverPort = 7000

# Only available on the local machine,
# unless switched to ex. "0.0.0.0",
# and allowed through relevant firewall.
# Warning: login allows editing of frpc's config!
webServer.addr = "127.0.0.1"
webServer.port = 7400
webServer.user = "admin"
webServer.password = "admin"

[[proxies]]
name = "testing"
type = "tcp"
localIP = "127.0.0.1"
# Adjust accordingly for test service's port (local),
# and port you attempt to connect to (remote).
localPort = 1111
remotePort = 2222

I couldn't tell you if chpst or setpriv are normally used in Void packages, though, but only allowing ports accessible by normal users by default seems like sane behavior to me, and the simplest method to revert back to root is just deleting the permission-related command out of run for end users.

However, HTTPS certificates will be unreadable by nobody , and likely need root to view in most systems, so while I support adding chpst like above (as does the original PR, to a degree), it should be commented out as a suggestion, not default, to avoid breaking common HTTPS reverse proxy setups (ex. providing a cert to backend HTTP services visible to frpc only).

@MC26Paradox MC26Paradox marked this pull request as ready for review July 8, 2026 04:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant