how to allow vncserver restart ??

Sean Darcy seandarcy2 at gmail.com
Sat Mar 1 11:13:12 PST 2014 

On 02/28/2014 07:05 AM, Simon McVittie wrote:
> On 27/02/14 17:02, Sean Darcy wrote:
>> dbus[540]: [system] Rejected send message, 2 matched rules;
>> type="method_call", sender=":1.8319" (u
>> id=504 pid=1680 comm="systemctl stop vncserver@:2 ")
>> interface="org.freedesktop.systemd1.Manager" member="StopUnit" error
>> name="(unset)" requested_reply="0"
>> destination="org.freedesktop.systemd1" (uid=0 pid=1
>> comm="/usr/lib/systemd/systemd --switched-root --system ")
>
> The system bus is a security boundary, so it has a "forbid everything by
> default" policy. Individual services can set up more lenient
> access-control in /etc/dbus-1/system.d.
>
> systemd's access policy (which is in
> /etc/dbus-1/system.d/org.freedesktop.systemd1.conf on my system) allows
> all operations to be done by root, and a limited subset (mostly read
> operations) to be done by any other user.
>
> In general, it would be considered a security vulnerability (denial of
> service) for unprivileged users to be able to stop or start arbitrary
> system services. If your local security policy is that that's OK, you
> could allow that by editing
> /etc/dbus-1/system.d/org.freedesktop.systemd1.conf (or a new file in
> system.d using that file as a template) to allow the two denied calls,
> something like:
>
>          <policy context="default">
>                  <allow send_destination="org.freedesktop.systemd1"
>                         send_interface="org.freedesktop.systemd1.Manager"
>                         send_member="StartUnit"/>
>                  <allow send_destination="org.freedesktop.systemd1"
>                         send_interface="org.freedesktop.systemd1.Manager"
>                         send_member="StopUnit"/>
>          </policy>
>
> However, that's probably more coarse-grained than you would like: it
> would allow any user (even pseudo-users like 'nobody' and 'daemon') to
> to restart any unit. Using sudo or similar is probably a better way, for
> which read on.
>
>> AFAICT, sudoers doesn't help, it's a dbus thing.
>
> sudo can help if you give the users permission to run systemctl as root,
> something like:
>
>      # sudoers
>      %users  ALL=(root) NOPASSWD: /usr/local/bin/restart-vncserver
>
>      # /usr/local/bin/restart-vncserver
>      #!/bin/sh
>      case "$*" in
>          ([0-9]|[0-9][0-9])
>              systemctl restart vncserver@:${1}.service
>              ;;
>          (*)
>              echo "usage: restart-vncserver DISPLAYNUMBER"
>              ;;
>      esac
>
> (This example assumes that your security policy is "users may restart
> VNC servers numbered 0 to 99"; adjust as needed. I used a wrapper script
> here to avoid having to give permission to run arbitrary systemctl
> subcommands with arbitrary options.)
>
> That way, the privileges being checked by systemctl are those of root,
> not the user, and the access will be allowed. Of course, when doing
> that, you're responsible for configuring sudoers and the invoked script
> to be secure (env_reset in sudoers, etc.), for a value of "secure"
> appropriate for your local security policy.
>
>> , though the error message points to org.freedesktop.systemd1.Manager
>> which is in
>> /usr/share/dbus-1/interfaces/org.freedesktop.systemd1.Manager.xml.
>
> That's just "documentation" of the Manager interface itself, which might
> be an interesting or useful reference, but does not affect the security
> policy.
>
>      S
>

Thanks for the prompt and useful reply. It explained  a lot of how dbus 
can work.

But...it didn't work.

used visudo to add sudoers:

%users  ALL=(root) NOPASSWD: /usr/local/bin/vnc2

created /usr/local/bin/vnc2
  cat /usr/local/bin/vnc2
#!/bin/sh

systemctl stop vncserver@:2
rm -f /tmp/.X2-lock
rm -f /tmp/.X11-unix/X2
systemctl start vncserver@:2


(vnc2 instead of a script for all servers, since I can adjust 
permissions for each vnc[2-N] )

So then I created /etc/dbus-1/system.d/vnc.local.conf:

<?xml version="1.0"?> <!--*-nxml-*-->
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 
1.0//EN"
         "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">

<!--
   This file is part of systemd.

   systemd is free software; you can redistribute it and/or modify it
   under the terms of the GNU Lesser General Public License as published by
   the Free Software Foundation; either version 2.1 of the License, or
   (at your option) any later version.
-->

<busconfig>

         <policy context="default">

                 <allow send_destination="org.freedesktop.systemd1"
                        send_interface="org.freedesktop.systemd1.Manager"
                        send_member="StartUnit"/>

                 <allow send_destination="org.freedesktop.systemd1"
                        send_interface="org.freedesktop.systemd1.Manager"
                        send_member="StopUnit"/>

         </policy>

</busconfig>

I saw dbus reload in syslog.

Which worked.

Is there any way to specify that only vncserver@:N can be started or 
stopped, and not all system services?

Thanks again for all the help.

sean

More information about the dbus mailing list