[systemd-devel] hostnamectl set-hostname non-admin user
Silvio Knizek
killermoehre at gmx.net
Tue Apr 6 18:26:45 UTC 2021
Am Dienstag, dem 06.04.2021 um 16:21 +0300 schrieb Damien LEFEVRE:
> Hi,
>
> I have an embedded device and I do not install sudo. I need to have a
> non-root running the main service capable of changing the hostname.
>
> After spending a long afternoon on this I still have not managed.
>
> Here i've tried adding my new user but only read-only requests go
> through
> /usr/share/dbus-1/system.d/org.freedesktop.hostname1.conf
> ```xml
> <?xml version="1.0"?> <!--*-nxml-*-->
> <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus
> Configuration 1.0//EN"
>
> "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
>
> <!--
> SPDX-License-Identifier: LGPL-2.1+
>
> This file is part of systemd.
>
> systemd is free software; you can redistribute it and/or modify it
> under the terms of the GNU Lesser General Public License as
> published by
> the Free Software Foundation; either version 2.1 of the License, or
> (at your option) any later version.
> -->
>
> <busconfig>
>
> <policy user="root">
> <allow own="org.freedesktop.hostname1"/>
> <allow send_destination="org.freedesktop.hostname1"/>
> <allow receive_sender="org.freedesktop.hostname1"/>
> </policy>
>
> <policy user="myuser">
> <!--<allow own="org.freedesktop.hostname1"/>-->
> <allow send_destination="org.freedesktop.hostname1"/>
> <allow receive_sender="org.freedesktop.hostname1"/>
> </policy>
>
> <policy context="default">
> <allow send_destination="org.freedesktop.hostname1"/>
> <allow receive_sender="org.freedesktop.hostname1"/>
> </policy>
>
> </busconfig>
> ```
>
>
> /usr/share/polkit-1/actions/org.freedesktop.hostname1.policy
> ```xml
> <?xml version="1.0" encoding="UTF-8"?> <!--*-nxml-*-->
> <!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy
> Configuration 1.0//EN"
> "
> http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
>
> <!--
> SPDX-License-Identifier: LGPL-2.1+
>
> systemd is free software; you can redistribute it and/or modify it
> under the terms of the GNU Lesser General Public License as
> published by
> the Free Software Foundation; either version 2.1 of the License, or
> (at your option) any later version.
> -->
>
> <policyconfig>
>
> <vendor>The systemd Project</vendor>
>
> <vendor_url>http://www.freedesktop.org/wiki/Software/systemd</vendor_
> url>
>
> <action id="org.freedesktop.hostname1.set-hostname">
> <description gettext-domain="systemd">Set host
> name</description>
> <message gettext-domain="systemd">Authentication is
> required to set the local host name.</message>
> <defaults>
> <allow_any>auth_admin_keep</allow_any>
>
> <allow_inactive>auth_admin_keep</allow_inactive>
> <allow_active>auth_admin_keep</allow_active>
> </defaults>
> </action>
>
> <action id="org.freedesktop.hostname1.set-static-hostname">
> <description gettext-domain="systemd">Set static host
> name</description>
> <message gettext-domain="systemd">Authentication is
> required to set the statically configured local host name, as well as
> the pretty host name.</message>
> <defaults>
> <allow_any>auth_admin_keep</allow_any>
>
> <allow_inactive>auth_admin_keep</allow_inactive>
> <allow_active>auth_admin_keep</allow_active>
> </defaults>
> <annotate
> key="org.freedesktop.policykit.imply">org.freedesktop.hostname1.set-
> hostname org.freedesktop.hostname1.set-machine-info</annotate>
> </action>
>
> <action id="org.freedesktop.hostname1.set-machine-info">
> <description gettext-domain="systemd">Set machine
> information</description>
> <message gettext-domain="systemd">Authentication is
> required to set local machine information.</message>
> <defaults>
> <allow_any>auth_admin_keep</allow_any>
>
> <allow_inactive>auth_admin_keep</allow_inactive>
> <allow_active>auth_admin_keep</allow_active>
> </defaults>
> </action>
>
> <action id="org.freedesktop.hostname1.get-product-uuid">
> <description gettext-domain="systemd">Get product
> UUID</description>
> <message gettext-domain="systemd">Authentication is
> required to get product UUID.</message>
> <defaults>
> <allow_any>auth_admin_keep</allow_any>
>
> <allow_inactive>auth_admin_keep</allow_inactive>
> <allow_active>auth_admin_keep</allow_active>
> </defaults>
> </action>
>
> </policyconfig>
> ```
>
> Despite all my attempts I always get 'Could not set property: Access
> denied' for hostnamectl set-hostname
>
> And get the 'org.freedesktop.DBus.Error.AccessDenied' in dbus-monitor
>
> method call time=1617739342.317948 sender=:1.23 ->
> destination=org.freedesktop.hostname1 serial=3
> path=/org/freedesktop/hostname1; interface=org.freedesktop.hostname1;
> member=SetStaticHostname
> string "blabla"
> boolean true
> ...
> error time=1617739342.320289 sender=:1.24 -> destination=:1.23
> error_name=org.freedesktop.DBus.Error.AccessDenied reply_serial=3
> string "Permission denied"
>
>
> Any help would be greatly appreciated =)
>
> -Damien
Hi Damien,
you actually need to configure polkit for this. Something like
/etc/polkit-1/rules.d/49-allow-myuser-access-to-hostnamed.rules
```javascript
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.hostname1.set-hostname") {
if (subject.user == "myuser") {
return polkit.Result.YES;
}
}
});
```
Your dbus definition only says that one can define rules including such
actions.
HTH
Silvio
More information about the systemd-devel
mailing list