Here's an annotated strace output of the dbus process when it fails. In another terminal, I ran 'systemctl status ntp' which triggers the dbus query. As Zahid mentioned above, this is with the permissions on /etc/ldap.conf set to 440, so the dbus-daemon user doesn't have permissions to read it. But why does dbus-daemon _want_ to read it? It's also checking /etc/passwd before this.
rphelps@d1lmdbsvrstg2:~$ sudo strace -p 942 -s 256 strace: Process 942 attached epoll_wait(4, [{EPOLLIN, {u32=3, u64=386346997063352323}}], 64, -1) = 1 # Accept the incoming dbus call from systemctl accept4(3, {sa_family=AF_LOCAL, NULL}, [2], SOCK_CLOEXEC) = 18 # Set it to a non-blocking socket, add it to the epoll() list, and call epoll() again fcntl(18, F_GETFL) = 0x2 (flags O_RDWR) fcntl(18, F_SETFL, O_RDWR|O_NONBLOCK) = 0 getsockname(18, {sa_family=AF_LOCAL, sun_path="/var/run/dbus/system_bus_socket"}, [34]) = 0 epoll_ctl(4, EPOLL_CTL_ADD, 18, {EPOLLET, {u32=18, u64=386346997063352338}}) = 0 epoll_ctl(4, EPOLL_CTL_MOD, 18, {EPOLLIN, {u32=18, u64=14407806993769168914}}) = 0 epoll_wait(4, [{EPOLLIN, {u32=18, u64=14407806993769168914}}], 64, 29999) = 1 # Read a message from systemctl recvmsg(18, {msg_name(0)=NULL, msg_iov(1)=[{"\0", 1}], msg_controllen=0, msg_flags=0}, 0) = 1 # Get the pid, uid, and gid of the systemctl process, rphelps in this case getsockopt(18, SOL_SOCKET, SO_PEERCRED, {pid=17258, uid=10247, gid=10004}, [12]) = 0 # Try and fail to get the peer socket security state, but that might be SELinux only? getsockopt(18, SOL_SOCKET, SO_PEERSEC, 0x559bc7f68180, 0x7ffc93c3a2bc) = -1 ENOPROTOOPT (Protocol not available) # Read the auth request from systemctl read(18, "AUTH EXTERNAL 3130323437\r\nNEGOTIATE_UNIX_FD\r\nBEGIN\r\n", 2048) = 52 # Check the /etc/passwd for something open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 19 lseek(19, 0, SEEK_CUR) = 0 fstat(19, {st_mode=S_IFREG|0644, st_size=2014, ...}) = 0 mmap(NULL, 2014, PROT_READ, MAP_SHARED, 19, 0) = 0x7f5305a0d000 lseek(19, 2014, SEEK_SET) = 2014 fstat(19, {st_mode=S_IFREG|0644, st_size=2014, ...}) = 0 munmap(0x7f5305a0d000, 2014) = 0 close(19) = 0 # No idea rt_sigaction(SIGPIPE, {SIG_IGN, [], SA_RESTORER, 0x7f530490a390}, {SIG_IGN, [], SA_RESTORER, 0x7f530490a390}, 8) = 0 # No idea why they're doing this; maybe to see if the caller is the same process? geteuid() = 107 # Try, and fail, to open /etc/ldap.conf open("/etc/ldap.conf", O_RDONLY) = -1 EACCES (Permission denied) rt_sigaction(SIGPIPE, {SIG_IGN, [], SA_RESTORER, 0x7f530490a390}, NULL, 8) = 0 # Do another epoll() round epoll_ctl(4, EPOLL_CTL_MOD, 18, {EPOLLET, {u32=18, u64=4294967314}}) = 0 epoll_ctl(4, EPOLL_CTL_MOD, 18, {EPOLLOUT, {u32=18, u64=4294967314}}) = 0 epoll_wait(4, [{EPOLLOUT, {u32=18, u64=4294967314}}], 64, 29995) = 1 # Send the rejection message to systemctl sendto(18, "REJECTED EXTERNAL DBUS_COOKIE_SHA1 ANONYMOUS\r\nERROR \"Need to authenticate first\"\r\n", 82, MSG_NOSIGNAL, NULL, 0) = 82 # Remove the connection to systemctl from the epoll() list, and close the socket epoll_ctl(4, EPOLL_CTL_DEL, 18, 0x7ffc93c3a2e0) = 0 close(18) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dbus in Ubuntu. https://bugs.launchpad.net/bugs/1885948 Title: systemd 229 / dbus 1.10.6-1ubuntu3.5 (16.04) and systemd 237 / dbus 1.12.2-1ubuntu1.1 (18.04) error with "Failed to get properties: Access denied" when ran as non-root user Status in dbus package in Ubuntu: New Bug description: I've seen this bug reported but almost always it is when being ran as root. This however is only an issue when ran as a non-root user. The root user is fine. I've come across this several times and although it's not a major issue, the only solution I've found is to reboot the system. I see this when running strace, tracing the network. We recently installed docker-ce and updated our version of salt from 2016.8.3 using python 2 to 2019.2.4 using python 3. ### 16.04 - systemd 229 on d1lmonitoringdev1 ### ## non-root user ## $ strace -f -s 16384 -e trace=network systemctl status ntp socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 getsockopt(3, SOL_SOCKET, SO_RCVBUF, [212992], [4]) = 0 setsockopt(3, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(3, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 getsockopt(3, SOL_SOCKET, SO_SNDBUF, [212992], [4]) = 0 setsockopt(3, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(3, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/dbus/system_bus_socket"}, 33) = 0 getsockopt(3, SOL_SOCKET, SO_PEERCRED, {pid=1, uid=0, gid=0}, [12]) = 0 getsockopt(3, SOL_SOCKET, SO_ACCEPTCONN, [0], [4]) = 0 getsockname(3, {sa_family=AF_LOCAL, NULL}, [2]) = 0 sendmsg(3, {msg_name(0)=NULL, msg_iov(3)=[{"\0AUTH EXTERNAL ", 15}, {"3130313631", 10}, {"\r\nNEGOTIATE_UNIX_FD\r\nBEGIN\r\n", 28}], msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 53 recvmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"REJECTED EXTERNAL DBUS_COOKIE_SHA1 ANONYMOUS\r\nERROR \"Need to authenticate first\"\r\n", 256}], msg_controllen=0, msg_flags=MSG_CMSG_CLOEXEC}, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_CMSG_CLOEXEC) = 82 strace: Process 29413 attached [pid 29413] --- SIGCONT {si_signo=SIGCONT, si_code=SI_USER, si_pid=29412, si_uid=10161} --- Failed to get properties: Access denied [pid 29413] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=29413, si_uid=10161, si_status=0, si_utime=0, si_stime=0} --- +++ exited with 1 +++ ## root user ## # Truncated because as root it works. $ sudo strace -f -s 16384 -e trace=network systemctl status ntp [sudo] password for zbukhari: socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 getsockopt(3, SOL_SOCKET, SO_RCVBUF, [212992], [4]) = 0 setsockopt(3, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = 0 getsockopt(3, SOL_SOCKET, SO_SNDBUF, [212992], [4]) = 0 setsockopt(3, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = 0 connect(3, {sa_family=AF_LOCAL, sun_path="/run/systemd/private"}, 22) = 0 getsockopt(3, SOL_SOCKET, SO_PEERCRED, {pid=1, uid=0, gid=0}, [12]) = 0 getsockopt(3, SOL_SOCKET, SO_ACCEPTCONN, [0], [4]) = 0 getsockname(3, {sa_family=AF_LOCAL, NULL}, [2]) = 0 sendmsg(3, {msg_name(0)=NULL, msg_iov(3)=[{"\0AUTH EXTERNAL ", 15}, {"30", 2}, {"\r\nNEGOTIATE_UNIX_FD\r\nBEGIN\r\n", 28}], msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 45 getsockopt(3, SOL_SOCKET, SO_PEERCRED, {pid=1, uid=0, gid=0}, [12]) = 0 recvmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"OK 3139491ef18e4f4c84fae863d4dd042f\r\nAGREE_UNIX_FD\r\n", 256}], msg_controllen=0, msg_flags=MSG_CMSG_CLOEXEC}, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_CMSG_CLOEXEC) = 52 sendmsg(3, {msg_name(0)=NULL, msg_iov(2)=[{"l\1\4\1\5\0\0\0\1\0\0\0\237\0\0\0\1\1o\0,\0\0\0/org/freedesktop/systemd1/unit/ntp_2eservice\0\0\0\0\3\1s\0\6\0\0\ 0GetAll\0\0\2\1s\0\37\0\0\0org.freedesktop.DBus.Properties\0\6\1s\0\30\0\0\0org.freedesktop.systemd1\0\0\0\0\0\0\0\0\10\1g\0\1s\0\0", 176}, {"\0\0\0\0\0", 5}], msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 181 recvmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"l\2\1\1\35 \0\0\1\0\0\0\23\0\0\0\5\1u\0\1\0\0\0", 24}], msg_controllen=0, msg_flags=MSG_CMSG_CLOEXEC}, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_CMSG_CLOEXEC) = 24 ### 18.04 - systemd 237 on d1lzbbyodev1 ### ## non-root user ## $ strace -f -s 16384 -e trace=%network systemctl status ntp socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 getsockopt(3, SOL_SOCKET, SO_RCVBUF, [212992], [4]) = 0 setsockopt(3, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(3, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 getsockopt(3, SOL_SOCKET, SO_SNDBUF, [212992], [4]) = 0 setsockopt(3, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(3, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 connect(3, {sa_family=AF_UNIX, sun_path="/run/dbus/system_bus_socket"}, 29) = 0 getsockopt(3, SOL_SOCKET, SO_PEERCRED, {pid=1, uid=0, gid=0}, [12]) = 0 getsockopt(3, SOL_SOCKET, SO_PEERSEC, 0x56338b39b450, [64]) = -1 ENOPROTOOPT (Protocol not available) getsockopt(3, SOL_SOCKET, SO_PEERGROUPS, "", [256->0]) = 0 getsockopt(3, SOL_SOCKET, SO_ACCEPTCONN, [0], [4]) = 0 getsockname(3, {sa_family=AF_UNIX}, [128->2]) = 0 sendmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\0AUTH EXTERNAL ", iov_len=15}, {iov_base="3130313631", iov_len=10}, {iov_base="\r\nNEGOTIATE_UNIX_FD\r\nBEGIN\r\n", iov_len=28}], msg_iovlen=3, msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 53 strace: Process 22703 attached [pid 22702] recvmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="REJECTED EXTERNAL\r\nERROR \"Need to authenticate first\"\r\n", iov_len=256}], msg_iovlen=1, msg_controllen=0, msg_flags=MSG_CMSG_CLOEXEC}, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_CMSG_CLOEXEC) = 55 [pid 22703] --- SIGCONT {si_signo=SIGCONT, si_code=SI_USER, si_pid=22702, si_uid=10161} --- Failed to get properties: Access denied [pid 22703] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=22703, si_uid=10161, si_status=0, si_utime=0, si_stime=0} --- +++ exited with 1 +++ ## root user ## # truncated because as root it works. $ sudo strace -f -s 16384 -e trace=%network systemctl status ntp socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 getsockopt(3, SOL_SOCKET, SO_RCVBUF, [212992], [4]) = 0 setsockopt(3, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = 0 getsockopt(3, SOL_SOCKET, SO_SNDBUF, [212992], [4]) = 0 setsockopt(3, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = 0 connect(3, {sa_family=AF_UNIX, sun_path="/run/systemd/private"}, 22) = 0 getsockopt(3, SOL_SOCKET, SO_PEERCRED, {pid=1, uid=0, gid=0}, [12]) = 0 getsockopt(3, SOL_SOCKET, SO_PEERSEC, 0x557f1d186450, [64]) = -1 ENOPROTOOPT (Protocol not available) getsockopt(3, SOL_SOCKET, SO_PEERGROUPS, "", [256->0]) = 0 getsockopt(3, SOL_SOCKET, SO_ACCEPTCONN, [0], [4]) = 0 getsockname(3, {sa_family=AF_UNIX}, [128->2]) = 0 sendmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\0AUTH EXTERNAL ", iov_len=15}, {iov_base="30", iov_len=2}, {iov_base="\r\nNEGOTIATE_UNIX_FD\r\nBEGIN\r\n", iov_len=28}], msg_iovlen=3, msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 45 getsockopt(3, SOL_SOCKET, SO_PEERCRED, {pid=1, uid=0, gid=0}, [12]) = 0 strace: Process 22999 attached [pid 22998] recvmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="OK fd99f58716884af9a7c053f7d08a1db0\r\nAGREE_UNIX_FD\r\n", iov_len=256}], msg_iovlen=1, msg_controllen=0, msg_flags=MSG_CMSG_CLOEXEC}, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_CMSG_CLOEXEC) = 52 [pid 22998] sendmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="l\1\4\1\5\0\0\0\1\0\0\0\237\0\0\0\1\1o\0,\0\0\0/org/freedesktop/systemd1/unit/ntp_2eservice\0\0\0\0\3\1s\0\6\0\0\0GetAll\0\0\2\1s\0\37\0\0\0org.freedesktop.DBus.Properties\0\6\1s\0\30\0\0\0org.freedesktop.systemd1\0\0\0\0\0\0\0\0\10\1g\0\1s\0\0", iov_len=176}, {iov_base="\0\0\0\0\0", iov_len=5}], msg_iovlen=2, msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 181 [pid 22998] recvmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="l\2\1\1Q(\0\0\1\0\0\0;\0\0\0\5\1u\0\1\0\0\0", iov_len=24}], msg_iovlen=1, msg_controllen=0, msg_flags=MSG_CMSG_CLOEXEC}, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_CMSG_CLOEXEC) = 24 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1885948/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp