how to allow vncserver restart ??

[Simon McVittie]

On 27/02/14 17:02, Sean Darcy wrote:
> dbus[540]: [system] Rejected send message, 2 matched rules;
> type="method_call", sender=":1.8319" (u
> id=504 pid=1680 comm="systemctl stop vncserver@:2 ")
> interface="org.freedesktop.systemd1.Manager" member="StopUnit" error
> name="(unset)" requested_reply="0"
> destination="org.freedesktop.systemd1" (uid=0 pid=1
> comm="/usr/lib/systemd/systemd --switched-root --system ")

The system bus is a security boundary, so it has a "forbid everything by
default" policy. Individual services can set up more lenient
access-control in /etc/dbus-1/system.d.

systemd's access policy (which is in
/etc/dbus-1/system.d/org.freedesktop.systemd1.conf on my system) allows
all operations to be done by root, and a limited subset (mostly read
operations) to be done by any other user.

In general, it would be considered a security vulnerability (denial of
service) for unprivileged users to be able to stop or start arbitrary
system services. If your local security policy is that that's OK, you
could allow that by editing
/etc/dbus-1/system.d/org.freedesktop.systemd1.conf (or a new file in
system.d using that file as a template) to allow the two denied calls,
something like:

        <policy context="default">
                <allow send_destination="org.freedesktop.systemd1"
                       send_interface="org.freedesktop.systemd1.Manager"
                       send_member="StartUnit"/>
                <allow send_destination="org.freedesktop.systemd1"
                       send_interface="org.freedesktop.systemd1.Manager"
                       send_member="StopUnit"/>
        </policy>

However, that's probably more coarse-grained than you would like: it
would allow any user (even pseudo-users like 'nobody' and 'daemon') to
to restart any unit. Using sudo or similar is probably a better way, for
which read on.

> AFAICT, sudoers doesn't help, it's a dbus thing.

sudo can help if you give the users permission to run systemctl as root,
something like:

    # sudoers
    %users  ALL=(root) NOPASSWD: /usr/local/bin/restart-vncserver

    # /usr/local/bin/restart-vncserver
    #!/bin/sh
    case "$*" in
        ([0-9]|[0-9][0-9])
            systemctl restart vncserver@:${1}.service
            ;;
        (*)
            echo "usage: restart-vncserver DISPLAYNUMBER"
            ;;
    esac

(This example assumes that your security policy is "users may restart
VNC servers numbered 0 to 99"; adjust as needed. I used a wrapper script
here to avoid having to give permission to run arbitrary systemctl
subcommands with arbitrary options.)

That way, the privileges being checked by systemctl are those of root,
not the user, and the access will be allowed. Of course, when doing
that, you're responsible for configuring sudoers and the invoked script
to be secure (env_reset in sudoers, etc.), for a value of "secure"
appropriate for your local security policy.

> , though the error message points to org.freedesktop.systemd1.Manager
> which is in
> /usr/share/dbus-1/interfaces/org.freedesktop.systemd1.Manager.xml.

That's just "documentation" of the Manager interface itself, which might
be an interesting or useful reference, but does not affect the security
policy.

    S