[systemd-devel] Cannot call GetUnit method with ssh

Bao Nguyen baondt at gmail.com
Fri Mar 8 09:05:26 UTC 2019 

Hi Lennart,

After debugging the problem, when strace the busctl call method command

strace -f -tt busctl call org.freedesktop.systemd1
/org/freedesktop/systemd1 org.freedesktop.systemd1.Manager GetUnit s
sys-devices-platform-serial8250-tty-ttyS6.device


07:54:32.027830 connect(3, {sa_family=AF_LOCAL,
sun_path="/var/run/dbus/system_bus_socket"}, 33) = 0
07:54:32.028045 getsockopt(3, SOL_SOCKET, SO_PEERCRED, {pid=1, uid=0,
gid=0}, [12]) = 0
07:54:32.028146 fstat(3, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
07:54:32.028240 getsockopt(3, SOL_SOCKET, SO_ACCEPTCONN, [0], [4]) = 0
07:54:32.028369 getsockname(3, {sa_family=AF_LOCAL, NULL}, [2]) = 0
07:54:32.028477 geteuid()               = 701
07:54:32.028584 sendmsg(3, {msg_name(0)=NULL, msg_iov(3)=[{"\0AUTH EXTERNAL
", 15}, {"373031", 6}, {"\r\nNEGOTIATE_UNIX_FD\r\nBEGIN\r\n", 28}],
msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 49
07:54:32.028854 gettid()                = 6861
07:54:32.028954 getrandom("f\7Wa\3512\306\316\3325\246\372\207\247\272(",
16, GRND_NONBLOCK) = 16
*07:54:32.029115 recvmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"REJECTED
EXTERNAL DBUS_COOKIE_SH"..., 256}], msg_controllen=0,
msg_flags=MSG_CMSG_CLOEXEC}, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_CMSG_CLOEXEC) =
82*
*07:54:32.029230 writev(2, [{"Access denied", 13}, {"\n", 1}], 2Access
denied*

I can see that the "Access Denied" is thrown because the system dbus fail
to authenticate  NEGOTIATE_UNIX_FD sent from client . It returns   *REJECTED
EXTERNAL DBUS_COOKIE_SH. * Could you please help to explain more why DBUS
fail to authenticate? Is there any work around to make it authenticate
successfully? I restart dbus and the error is gone away. Not sure why and
maybe restarting dbus is not a good WA to do.

My system uses SSSD, PAM and LDAP to authenticate the user,

Thanks,
Brs,
Naruto

On Sat, Mar 2, 2019 at 2:31 PM Bao Nguyen <baondt at gmail.com> wrote:
>
> Hi Lennart,
>
> Thanks for your information.
>
> I do not use selinux. Could you please show me how to enable dbus log?
> I found this thread https://wiki.ubuntu.com/DebuggingDBus, not sure it
> works but I'll give it a try.
>
> BTW, last time when I enable systemd debug systemd.log_level=debug, I
> found this log
>
> systemd[1]: Got message type=method_call sender=:1.183
> destination=org.freedesktop.systemd1 object=/org/freedesktop/systemd1
> interface=org.freedesktop.systemd1.Manager member=GetUnit cookie=2
> reply_cookie=0 error=n/a
> systemd[1]: Sent message type=method_return sender=n/a
> destination=:1.183 object=n/a interface=n/a member=n/a cookie=2151
> reply_cookie=2 error=n/a
>
> This is when I can ssh successfully, when it fails, the Sent message
> (and maybe Got Message as well, sorry I lost the log, I will update
> later) has sender and destination is "n/a". Could you please elaborate
> on this "n/a", can it lead to the Acess denied"?
>
> And if dbus-daemon refused access to the unit's runtime data, when I
> restart dbus, there is no error "Access Denied" anymore. How does
> restarting dbus relate with Access Denied? If it is permission, I
> guess even restarting dbus, it still meets Access Denied.
>
> Sorry for asking a lot of questions.
>
> Thanks a lot,
> Brs,
> Naruto
>
> On Fri, Mar 1, 2019 at 5:22 PM Lennart Poettering
> <lennart at poettering.net> wrote:
> >
> > On Do, 28.02.19 18:21, Bao Nguyen (baondt at gmail.com) wrote:
> >
> > > Hello everyone,
> > >
> > > I am using systemd 228. When the system starts successfully, I tried
> > > to login to my system via ssh with my one of setting users, and I can
> > > log in successfully but systemd throws an error message:
> > >
> > > "Failed to get unit: Access denied"
> > >
> > > When I trace code of systemd, I found the message thrown from the
> > > method call via sdbus. This is one of function I added in systemd
> > > source
> > >
> > >         r = sd_bus_call_method(
> > >                         bus,
> > >                         "org.freedesktop.systemd1",
> > >                         "/org/freedesktop/systemd1",
> > >                         "org.freedesktop.systemd1.Manager",
> > >                         "GetUnit",
> > >                         &error_message,
> > >                         &reply_return,
> > >                         "s", name_unit);
> > >         if (r < 0) {
> > >                         return log_errno(r, "Failed to get unit: %s",
> > > bus_error_message(&error_message, r));
> > >         }
> > >
> > > But somehow it cannot call GetUnit method from interface
> > > org.freedesktop.systemd1.Manager with error "Access denied". Could you
> > > please let me know what the error message of this method call means ?
> > > Does it relate any to user permission and if any setting permission of
> > > user can cause the method called via sdbus can not retrieve unit
> > > object path for a unit name during ssh?
> >
> > This means dbus-daemon or selinux refused access to the unit's runtime
> > data.
> >
> > if it's dbus there might be more info in the dbus logs.
> >
> > if it's selinux (do you use that?) there might be AVCs...
> >
> > Lennart
> >
> > --
> > Lennart Poettering, Red Hat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20190308/0261e607/attachment-0001.html>

More information about the systemd-devel mailing list