系统D-Bus不允许使用conf文件来打孔所有权 [英] System D-Bus does not allow punching out ownership with conf files

问题描述

我正在尝试创建一个在系统总线上运行的守护程序服务，其中从该服务发送和接收的权限应对任何人完全开放. (此服务不考虑安全性).当我尝试使用QtDbus(使用PyQt)注册服务时，出现此错误:Connection ":1.0" is not allowed to own the service "org.dbus.arduino" due to security policies in the configuration file.另一个堆栈溢出具有相同的错误，但是由于某种原因在这种情况下完全没有帮助. dbus_bus_request_name ():不允许连接拥有服务.

I am trying to create a daemon service that runs on the system bus where the permissions for sending and receiving from this service should be completely open to anybody. (Security is not a concern for this service). When I attempt to register the service using QtDbus (using the PyQt for it) I get this error: Connection ":1.0" is not allowed to own the service "org.dbus.arduino" due to security policies in the configuration file. This other stack overflow has the same error, but does not help at all in this situation for some reason. dbus_bus_request_name (): Connections are not allowed to own the service.

通常，您应该完整保留system.conf文件，并在system.d目录中添加权限打孔"配置文件.我已经做到了，但是无论我如何打开权限，它似乎都不会改变任何东西.实际上，我几乎是肯定的，它没有改变任何东西！这是我的conf文件，它现在就位于该位置.

Normally you're supposed to leave the system.conf file in-tact and add your permissions "punch out" config file in the system.d directory. I have done this, but it does not seem to change anything, regardless with how open I make the permissions. In fact I'm almost positive it's not changing anything! Here is my conf file as it sits right this moment.

<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">

<busconfig>
    <policy user="myUser">
        <allow own="*"/>
        <allow own="org.dbus.arduino"/>
        <allow send_type="method_call" log="true"/>
    </policy>                 
    <policy user="root">        
        <allow own="*"/>
        <allow own="org.dbus.arduino"/>
        <allow send_type="method_call" log="true"/>
    </policy>                         
    <policy context="default">            
    </policy>                                                     
</busconfig>                 

即使我执行此操作或类似操作，它仍然不起作用.

Even if I do this or things like it, it STILL doesn't work.

<busconfig>               
    <policy context="default">     
        <allow own="*"/>
        <allow own="org.dbus.arduino"/>
        <allow send_type="method_call" log="true"/>       
    </policy>                                                     
</busconfig>  

我什至把文件名以z开头，以便它可能是最后一个被读入的文件.这是system.conf文件，请注意我在允许自己的"部分注释掉了.这是使它正常工作的唯一方法(也是最糟糕的修复").

I even put the name of the file starting with a z so that it may be the very last one that is read in. Here is the system.conf file, note where I have commented out the "allow own" section. This is the ONLY way to get this to work (and the worst possible "fix").

<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>

  <!-- Our well-known bus type, do not change this -->
  <type>system</type>

  <!-- Run as special user -->
  <user>messagebus</user>

  <!-- Fork into daemon mode -->
  <fork/>

  <!-- We use system service launching using a helper -->
  <standard_system_servicedirs/>

  <!-- This is a setuid helper that is used to launch system services -->
  <servicehelper>/lib/dbus-1/dbus-daemon-launch-helper</servicehelper>

  <!-- Write a pid file -->
  <pidfile>/var/run/dbus/pid</pidfile>

  <!-- Enable logging to syslog -->
  <syslog/>

  <!-- Only allow socket-credentials-based authentication -->
  <auth>EXTERNAL</auth>

  <!-- Only listen on a local socket. (abstract=/path/to/socket 
       means use abstract namespace, don't really create filesystem 
       file; only Linux supports this. Use path=/whatever on other 
       systems.) -->
  <listen>unix:path=/var/run/dbus/system_bus_socket</listen>

  <policy context="default">
    <!-- All users can connect to system bus -->
    <allow user="*"/>

    <!-- Holes must be punched in service configuration files for
         name ownership and sending method calls -->
    <deny own="*"/>
    <deny send_type="method_call" log="true"/>

    <!-- THIS IS THE ONLY WAY TO GET THIS TO WORK
    <allow own="*"/>
    <allow send_type="method_call" log="true"/>
    -->



    <!-- Signals and reply messages (method returns, errors) are allowed
         by default -->
    <allow send_type="signal"/>
    <allow send_requested_reply="true" send_type="method_return"/>
    <allow send_requested_reply="true" send_type="error"/>

    <!-- All messages may be received by default -->
    <allow receive_type="method_call"/>
    <allow receive_type="method_return"/>
    <allow receive_type="error"/>
    <allow receive_type="signal"/>

    <!-- Allow anyone to talk to the message bus -->
    <allow send_destination="org.freedesktop.DBus"/>
    <!-- But disallow some specific bus services -->
    <deny send_destination="org.freedesktop.DBus"
          send_interface="org.freedesktop.DBus"
          send_member="UpdateActivationEnvironment"/>

  </policy>

  <!-- Config files are placed here that among other things, punch 
       holes in the above policy for specific services. -->
  <includedir>system.d</includedir>

  <!-- This is included last so local configuration can override what's 
       in this standard file -->
  <include ignore_missing="yes">system-local.conf</include>

  <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include>

</busconfig>

我绝对必须使用系统总线，因为我将其部署在没有GUI的Raspberry Pi上(没有x11，也没有会话总线).我只能通过完全允许系统总线上的所有内容来使Raspberry Pi正常工作(安全性在该设备上几乎没有什么大不了的).显然，我不允许这种情况在我的开发机器上发生.作为背景，我使用的是Opensuse 12.2，而Raspberry Pi是Debian Squeeze.我不能用我的用户帐户或root来拥有该服务，除非我完全打开权限，在这种情况下，它就可以正常工作.我还将注意到，当我完全打开系统总线时，仍然必须使用root将消息发送到守护程序(终止命令).我希望该解决方案能够通过具有root用户访问权限的特定用户来运行.我也同意该解决方案，只允许同一用户和root用户向其发送消息.

I absolutely have to use the System bus because I am deploying it on a Raspberry Pi without a GUI, (no x11, and no session bus). I was able to get the Raspberry Pi working only by completely allowing everything on the system bus (security is not nearly as big of a deal on this device). Obviously, there is no way I'm allowing that to occur on my development machine. As background I am using Opensuse 12.2 and the Raspberry Pi is Debian Squeeze. I cannot own the service with my user account, nor root, unless I completely open the permissions up, in that case it works just fine. I will also note that when I completely opened up the system bus, I still had to use root to send messages to the daemon (a terminate command). I'd like the solution to be able to be runnable via a particular user with root having access as well. I am also OK with the solution only allowing the same user and root to send messages to it.

感谢您的帮助，我确定这是一个小问题！

Thanks for any help I'm sure it's a small issue!

推荐答案

我终于找到了问题.当Dbus寻找配置文件以打消权限(如所有权)时，该文件不仅必须位于system.d/中，而且还必须以.conf结尾.

I finally found the issue. When Dbus looks for configuration files for punching out permissions (like ownerships) the file not only must be in system.d/ but it must also end in .conf.

我的配置文件"org.dbus.arduino"应该是"org.dbus.arduino.conf".我从system.conf中删除了代码.确认我不再具有权限，在"system.d/org.dbus.arduino.conf"中创建了一个配置文件，我被授予了权限.然后，我尝试将文件重命名为"org.dbus.arduino"，并确认权限被拒绝.

My configuration file "org.dbus.arduino" should have been "org.dbus.arduino.conf". I removed the code from system.conf. Confirmed I no longer had permissions, created a configuration file at "system.d/org.dbus.arduino.conf", I was granted permissions. I then attempted to rename the file to just "org.dbus.arduino" and confirmed the permissions were denied.

这篇关于系统D-Bus不允许使用conf文件来打孔所有权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！