Hi Lennart Poettering,
Can you give me some more clarity on why this cannot safely be implemented?
Do you mean the use of polkit?
I have few fundamental question.
1) Dbus uses .conf files in /etc/dbus-1/system.d/ or
/usr/share/dbus-1/system.d/ to allow and deny access to dbus method calls.
And what is the point of allowing a user in these conf files if eventually
systemd will block the call?
2) Why is "busctl call" to slandered interfaces such as
org.freedesktop.DBus.Peer still work even if caller is non-root.
3) I see that busctl commands such as "tree", "introspect" etc., are still
allowed for non-root user. So why is there a restriction "call"?
My basic use case is that I want to run a application as non-root and be able
to make "busctl call" to interface of an application running in root.
Do you think there is any way to do that?
Regards,
Arun Lal K M
-----Original Message-----
From: systemd-devel <systemd-devel-boun...@lists.freedesktop.org> On Behalf Of
systemd-devel-requ...@lists.freedesktop.org
Sent: Friday, March 10, 2023 5:30 PM
To: systemd-devel@lists.freedesktop.org
Subject: systemd-devel Digest, Vol 155, Issue 8
Send systemd-devel mailing list submissions to
systemd-devel@lists.freedesktop.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
or, via email, send a message with subject or body 'help' to
systemd-devel-requ...@lists.freedesktop.org
You can reach the person managing the list at
systemd-devel-ow...@lists.freedesktop.org
When replying, please edit your Subject line so it is more specific than "Re:
Contents of systemd-devel digest..."
Today's Topics:
1. How to make sd_bus_creds_has_effective_cap return success.
(Lal, Arun)
2. Re: How to make sd_bus_creds_has_effective_cap return
success. (Lennart Poettering)
----------------------------------------------------------------------
Message: 1
Date: Fri, 10 Mar 2023 06:54:17 +0000
From: "Lal, Arun" <arun....@intel.com>
To: "systemd-devel@lists.freedesktop.org"
<systemd-devel@lists.freedesktop.org>
Cc: "Ayushi, Smriti" <smriti.ayu...@intel.com>, "Shah, Nirav J2"
<nirav.j2.s...@intel.com>
Subject: [systemd-devel] How to make sd_bus_creds_has_effective_cap
return success.
Message-ID:
<dm4pr11mb53602b65bcde4fcfed8b1b1b88...@dm4pr11mb5360.namprd11.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
Hi All,
I would like to receive some clarity on following commit in systemd
(https://github.com/systemd/systemd/commit/def9a7aa0182e5ecca3ac61b26f75136a5c4f103)
I was trying to run an application as non-root.
Currently, I am facing an issue that I am not able to make a "busctl call" from
a non-root user to a D-Bus service running as root.
Example:
1. Create a non-root user using useradd command
2. The following is exposed by a daemon running as root
service - xyz.openbmc_project.xxxx
objectpath - /xyz/openbmc_project/xxxx/get_data
interface - xyz.openbmc_project.GetData
method - getData
3. From putty log in to BMC console and using "su nonrootuser" switch to
non-root user
4. Run the following command:
busctl call xyz.openbmc_project.xxxx /xyz/openbmc_project/xxxx/get_data
xyz.openbmc_project.GetData getData
and we get response "Call Failed: Access denied"
On investigation, 'Access Denied' failure response was coming from the systemd
recipe.
>From file systemd\src\libsystemd\sd-bus\bus-convenience.c
method_callbacks_run->check_access fails
In case of root check_access->sd_bus_query_sender_privilege returns 1 because
of the following condition if (sender_uid == our_uid)
return 1;
In case of non-root check_access->sd_bus_query_sender_privilege function
returns 0
I would like to understand how "return 1" can be achieved from
sd_bus_query_sender_privilege function.
Specifically the below mentioned "return 1"
r = sd_bus_creds_has_effective_cap(creds, capability);
if (r > 0)
return 1;
>From your commit message I can see that polkit has some role here. But I am
>new to polkit and any help would be appreciated ?
Regards,
Arun Lal K M
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freedesktop.org/archives/systemd-devel/attachments/20230310/c8a2982b/attachment-0001.htm>
------------------------------
Message: 2
Date: Fri, 10 Mar 2023 11:57:41 +0100
From: Lennart Poettering <lenn...@poettering.net>
To: "Lal, Arun" <arun....@intel.com>
Cc: "systemd-devel@lists.freedesktop.org"
<systemd-devel@lists.freedesktop.org>, "Ayushi, Smriti"
<smriti.ayu...@intel.com>, "Shah, Nirav J2" <nirav.j2.s...@intel.com>
Subject: Re: [systemd-devel] How to make
sd_bus_creds_has_effective_cap return success.
Message-ID: <ZAsNJUyqqwHEFmd4@gardel-login>
Content-Type: text/plain; charset=us-ascii
On Fr, 10.03.23 06:54, Lal, Arun (arun....@intel.com) wrote:
> Hi All,
>
> I would like to receive some clarity on following commit in systemd
> (https://github.com/systemd/systemd/commit/def9a7aa0182e5ecca3ac61b26f
> 75136a5c4f103)
This is stuff that cannot safely be implemented on the AF_UNIX. It was a safe
concept when kdbus was a thing.
Ignore it.
Lennart
--
Lennart Poettering, Berlin
------------------------------
Subject: Digest Footer
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
------------------------------
End of systemd-devel Digest, Vol 155, Issue 8
*********************************************
