[systemd-devel] systemd-devel Digest, Vol 155, Issue 8

Lal, Arun arun.lal at intel.com
Sat Mar 11 08:29:42 UTC 2023 

Hi Lennart Poettering,

Can you give me some more clarity on why this cannot safely be implemented?
Do you mean the use of polkit?

I have few fundamental question. 
1) Dbus uses .conf files in /etc/dbus-1/system.d/ or /usr/share/dbus-1/system.d/ to allow and deny access to dbus method calls. 
    And what is the point of allowing a user in these conf files if eventually systemd will block the call?

2) Why is "busctl call" to slandered interfaces such as org.freedesktop.DBus.Peer still work even if caller is non-root. 

3) I see that busctl commands such as "tree", "introspect" etc., are still allowed for non-root user. So why is there a restriction "call"?

My basic use case is that I want to run a application as non-root and be able to make "busctl call" to interface of an application running in root. 
Do you think there is any way to do that? 

Regards,
Arun Lal K M

-----Original Message-----
From: systemd-devel <systemd-devel-bounces at lists.freedesktop.org> On Behalf Of systemd-devel-request at lists.freedesktop.org
Sent: Friday, March 10, 2023 5:30 PM
To: systemd-devel at lists.freedesktop.org
Subject: systemd-devel Digest, Vol 155, Issue 8

Send systemd-devel mailing list submissions to
	systemd-devel at lists.freedesktop.org

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.freedesktop.org/mailman/listinfo/systemd-devel
or, via email, send a message with subject or body 'help' to
	systemd-devel-request at lists.freedesktop.org

You can reach the person managing the list at
	systemd-devel-owner at lists.freedesktop.org

When replying, please edit your Subject line so it is more specific than "Re: Contents of systemd-devel digest..."


Today's Topics:

   1.  How to make sd_bus_creds_has_effective_cap return success.
      (Lal, Arun)
   2. Re:  How to make sd_bus_creds_has_effective_cap return
      success. (Lennart Poettering)


----------------------------------------------------------------------

Message: 1
Date: Fri, 10 Mar 2023 06:54:17 +0000
From: "Lal, Arun" <arun.lal at intel.com>
To: "systemd-devel at lists.freedesktop.org"
	<systemd-devel at lists.freedesktop.org>
Cc: "Ayushi, Smriti" <smriti.ayushi at intel.com>, "Shah, Nirav J2"
	<nirav.j2.shah at intel.com>
Subject: [systemd-devel] How to make sd_bus_creds_has_effective_cap
	return success.
Message-ID:
	<DM4PR11MB53602B65BCDE4FCFED8B1B1B88BA9 at DM4PR11MB5360.namprd11.prod.outlook.com>
	
Content-Type: text/plain; charset="utf-8"

Hi All,

I would like to receive some clarity on following commit in systemd (https://github.com/systemd/systemd/commit/def9a7aa0182e5ecca3ac61b26f75136a5c4f103)

I was trying to run an application as non-root.

Currently, I am facing an issue that I am not able to make a "busctl call" from a non-root user to a D-Bus service running as root.

Example:
    1. Create a non-root user using  useradd command

    2. The following is exposed by a daemon running as root
    service - xyz.openbmc_project.xxxx
    objectpath - /xyz/openbmc_project/xxxx/get_data
    interface - xyz.openbmc_project.GetData
    method - getData

    3. From putty log in to BMC console and using "su nonrootuser" switch to non-root user

    4. Run the following command:
    busctl call xyz.openbmc_project.xxxx /xyz/openbmc_project/xxxx/get_data xyz.openbmc_project.GetData getData

    and we get response "Call Failed: Access denied"

On investigation, 'Access Denied' failure response was coming from the systemd recipe.
>From file systemd\src\libsystemd\sd-bus\bus-convenience.c
method_callbacks_run->check_access fails

In case of root check_access->sd_bus_query_sender_privilege returns 1 because of the following condition if (sender_uid == our_uid)
    return 1;

In case of non-root check_access->sd_bus_query_sender_privilege function returns 0

I would like to understand how "return 1" can be achieved from sd_bus_query_sender_privilege function.
Specifically the below mentioned "return 1"

    r = sd_bus_creds_has_effective_cap(creds, capability);
    if (r > 0)
        return 1;

>From your commit message I can see that polkit has some role here. But I am new to polkit and any help would be appreciated ?

Regards,
Arun Lal K M

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20230310/c8a2982b/attachment-0001.htm>

------------------------------

Message: 2
Date: Fri, 10 Mar 2023 11:57:41 +0100
From: Lennart Poettering <lennart at poettering.net>
To: "Lal, Arun" <arun.lal at intel.com>
Cc: "systemd-devel at lists.freedesktop.org"
	<systemd-devel at lists.freedesktop.org>,  "Ayushi, Smriti"
	<smriti.ayushi at intel.com>, "Shah, Nirav J2" <nirav.j2.shah at intel.com>
Subject: Re: [systemd-devel] How to make
	sd_bus_creds_has_effective_cap return success.
Message-ID: <ZAsNJUyqqwHEFmd4 at gardel-login>
Content-Type: text/plain; charset=us-ascii

On Fr, 10.03.23 06:54, Lal, Arun (arun.lal at intel.com) wrote:

> Hi All,
>
> I would like to receive some clarity on following commit in systemd
> (https://github.com/systemd/systemd/commit/def9a7aa0182e5ecca3ac61b26f
> 75136a5c4f103)

This is stuff that cannot safely be implemented on the AF_UNIX. It was a safe concept when kdbus was a thing.

Ignore it.

Lennart

--
Lennart Poettering, Berlin


------------------------------

Subject: Digest Footer

_______________________________________________
systemd-devel mailing list
systemd-devel at lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel


------------------------------

End of systemd-devel Digest, Vol 155, Issue 8
*********************************************

More information about the systemd-devel mailing list