[systemd-devel] allow a group to set datetime with timedatectrl

[Mantas Mikulėnas]

On Tue, Mar 12, 2013 at 11:52 AM, Andreas Müller
<schnitzeltony at googlemail.com> wrote:
> Hi,
>
> I know it is more a dbus-issue and an experts-LOL but maybe somebody
> can help me here: I would like to have a group which is permitted to
> set datetime with timedatectrl. What I did:
>
> As root
> 1. groupadd -r datetime
> 2. usermod -a -G datetime operator
> 4. In '/etc/dbus-1/system.d/org.freedesktop.timedate1.conf' I added in
> the <busconfig> section:
>
>         <policy group="datetime">
>                 <allow send_destination="org.freedesktop.timedate1"
> send_interface="org.freedesktop.timedate1" send_member="SetTime"/>
>         </policy>
>
> As operator I get:
>> timedatectl set-time "2013-03-12 09:50"
> Failed to issue method call: Access denied

DBus policies are not the problem here. systemd already distributes
policies that allow anyone to send to timedate1.

All authorization checks (in daemons outside pid1) are done using
polkit. (This allows for more flexible policies... or something like
that, anyway.) If you have polkit 0.107 or newer, see polkit(8) [1]
for documentation on writing custom authorization rules.

For example, /etc/polkit-1/rules.d/10-local.rules would look like:

polkit.addRule(function(action, subject)) {
    if (action == "org.freedesktop.timedate1.set-time"
        && subject.isInGroup("datetime")) {
            return polkit.Result.YES;
    }
});

If you have polkit 0.105 or older, see pklocalauthority(8) [2] – it
uses a different, simpler rule format.

In both cases, you can find the action names using pkaction(1) [3] or
in /usr/share/polkit-1/actions; note that they don't always map
directly to DBus method names.

[1]: http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html
[2]: http://www.freedesktop.org/software/polkit/docs/0.105/pklocalauthority.8.html
[3]: http://www.freedesktop.org/software/polkit/docs/latest/pkaction.1.html

--
Mantas Mikulėnas <grawity at gmail.com>