[systemd-devel] How to make sd_bus_creds_has_effective_cap return success.
Lal, Arun
arun.lal at intel.com
Fri Mar 10 06:54:17 UTC 2023
Hi All,
I would like to receive some clarity on following commit in systemd (https://github.com/systemd/systemd/commit/def9a7aa0182e5ecca3ac61b26f75136a5c4f103)
I was trying to run an application as non-root.
Currently, I am facing an issue that I am not able to make a "busctl call" from a non-root user to a D-Bus service running as root.
Example:
1. Create a non-root user using useradd command
2. The following is exposed by a daemon running as root
service - xyz.openbmc_project.xxxx
objectpath - /xyz/openbmc_project/xxxx/get_data
interface - xyz.openbmc_project.GetData
method - getData
3. From putty log in to BMC console and using "su nonrootuser" switch to non-root user
4. Run the following command:
busctl call xyz.openbmc_project.xxxx /xyz/openbmc_project/xxxx/get_data xyz.openbmc_project.GetData getData
and we get response "Call Failed: Access denied"
On investigation, 'Access Denied' failure response was coming from the systemd recipe.
From file systemd\src\libsystemd\sd-bus\bus-convenience.c
method_callbacks_run->check_access fails
In case of root check_access->sd_bus_query_sender_privilege returns 1 because of the following condition
if (sender_uid == our_uid)
return 1;
In case of non-root check_access->sd_bus_query_sender_privilege function returns 0
I would like to understand how "return 1" can be achieved from sd_bus_query_sender_privilege function.
Specifically the below mentioned "return 1"
r = sd_bus_creds_has_effective_cap(creds, capability);
if (r > 0)
return 1;
From your commit message I can see that polkit has some role here. But I am new to polkit and any help would be appreciated 😊
Regards,
Arun Lal K M
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20230310/c8a2982b/attachment.htm>
More information about the systemd-devel
mailing list