<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI Emoji";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hi All,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I would like to receive some clarity on following commit in systemd (<a href="https://github.com/systemd/systemd/commit/def9a7aa0182e5ecca3ac61b26f75136a5c4f103">https://github.com/systemd/systemd/commit/def9a7aa0182e5ecca3ac61b26f75136a5c4f103</a>)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I was trying to run an application as non-root.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>Currently, I am facing an issue that I am not able to make a "busctl call" from a non-root user to a D-Bus service running as root.</b><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Example:<o:p></o:p></p>
<p class="MsoNormal"> 1. Create a non-root user using useradd command<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> 2. The following is exposed by a daemon running as root<o:p></o:p></p>
<p class="MsoNormal"> service - xyz.openbmc_project.xxxx<o:p></o:p></p>
<p class="MsoNormal"> objectpath - /xyz/openbmc_project/xxxx/get_data <o:p></o:p></p>
<p class="MsoNormal"> interface - xyz.openbmc_project.GetData <o:p></o:p></p>
<p class="MsoNormal"> method - getData<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> 3. From putty log in to BMC console and using "su nonrootuser" switch to non-root user
<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> 4. Run the following command:<o:p></o:p></p>
<p class="MsoNormal"> busctl call xyz.openbmc_project.xxxx /xyz/openbmc_project/xxxx/get_data xyz.openbmc_project.GetData getData<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <b>and we get response "Call Failed: Access denied"</b><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">On investigation, 'Access Denied' failure response was coming from the systemd recipe.<o:p></o:p></p>
<p class="MsoNormal">From file systemd\src\libsystemd\sd-bus\bus-convenience.c<o:p></o:p></p>
<p class="MsoNormal">method_callbacks_run->check_access fails<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">In case of root check_access->sd_bus_query_sender_privilege returns 1 because of the following condition<o:p></o:p></p>
<p class="MsoNormal">if (sender_uid == our_uid) <o:p></o:p></p>
<p class="MsoNormal"> return 1; <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">In case of non-root check_access->sd_bus_query_sender_privilege function returns 0 <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b>I would like to understand how "return 1" can be achieved from sd_bus_query_sender_privilege function. </b><o:p></o:p></p>
<p class="MsoNormal">Specifically the below mentioned "return 1"<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> r = sd_bus_creds_has_effective_cap(creds, capability);<o:p></o:p></p>
<p class="MsoNormal"> if (r > 0)<br>
return 1;<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">From your commit message I can see that polkit has some role here. But I am new to polkit and any help would be appreciated
<span style="font-family:"Segoe UI Emoji",sans-serif">😊</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Regards,<o:p></o:p></p>
<p class="MsoNormal">Arun Lal K M<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>