[systemd-devel] Antw: [EXT] Re: [systemd‑devel] Run reboot as normal user

Mohamed Ali Fodha fodha.mohamed.ali at gmail.com
Thu Dec 2 07:42:25 UTC 2021 

According to this thread https://github.com/systemd/systemd/issues/11034,
kdbus can manage linux capabilities but dbus can't, isn't it?
Below is what I did in my binary















* r = sd_bus_open_system(&bus); if (r < 0) {         sm_error("Failed to
connect to system bus\n"); } r = sd_bus_call_method(bus,
 "org.freedesktop.systemd1",              "/org/freedesktop/systemd1",
           "org.freedesktop.systemd1.Manager",           "StartUnit",
                      &error,                                     &m,
                                     "ss",
       "reboot.target",
 "replace-irreversibly");*

This call returns -13 (#define EACCES 13 /* Permission denied */)
Below are the capabilities of the binary (hwmanager is called by regular
user)

*root at imx6quad:~# getcap /usr/sbin/hwmanager*

*/usr/sbin/hwmanager  =
cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_kill,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_rawio,cap_sys_admin,cap_sys_boot,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_syslog+eip*

Mohamed Ali

Le mer. 1 déc. 2021 à 11:38, Ulrich Windl <Ulrich.Windl at rz.uni-regensburg.de>
a écrit :

> >>> Martin Wilck <mwilck at suse.com> schrieb am 01.12.2021 um 10:41 in
> Nachricht
> <a64771271a667804c450a13481cee06180965b12.camel at suse.com>:
> > On Wed, 2021‑12‑01 at 10:24 +0100, Ulrich Windl wrote:
> >> > >
> >>
> >> And I wonder what's wrong with allowing the shutdown command for the
> >> user in
> >> sudoers.
> >> (sudo $(which shutdown) ‑r now)
> >
> > Sure. I thought sudo might not be installed on that embedded system,
> > either. If it is, I'd prefer it over other solutions simply because
> > it's more transparent. Capability bits tend to go unnoticed.
> >
>
> Quote from OP: "Previously the guest user was in sudoers (so to run reboot
> the
> systemd
> service uses "sudo") but actually our customer wants to remove the guest
> user from sudoers."
>
> It was some odd security debate: If someone can operate as guest he/she
> should
> not be able to reboot, while the guest user should be.
> (Maybe I misunderstood. Any case some details for the problem are missing)
>
>
> > Martin
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20211202/34a14fbe/attachment-0001.htm>

More information about the systemd-devel mailing list