系统D-Bus不允许使用conf文件来打孔所有权 [英] System D-Bus does not allow punching out ownership with conf files
问题描述
我正在尝试创建一个在系统总线上运行的守护程序服务,其中从该服务发送和接收的权限应对任何人完全开放. (此服务不考虑安全性).当我尝试使用QtDbus(使用PyQt)注册服务时,出现此错误:Connection ":1.0" is not allowed to own the service "org.dbus.arduino" due to security policies in the configuration file
.另一个堆栈溢出具有相同的错误,但是由于某种原因在这种情况下完全没有帮助. dbus_bus_request_name ()
:不允许连接拥有服务.
I am trying to create a daemon service that runs on the system bus where the permissions for sending and receiving from this service should be completely open to anybody. (Security is not a concern for this service). When I attempt to register the service using QtDbus (using the PyQt for it) I get this error: Connection ":1.0" is not allowed to own the service "org.dbus.arduino" due to security policies in the configuration file
. This other stack overflow has the same error, but does not help at all in this situation for some reason. dbus_bus_request_name ()
: Connections are not allowed to own the service.
通常,您应该完整保留system.conf
文件,并在system.d
目录中添加权限打孔"配置文件.我已经做到了,但是无论我如何打开权限,它似乎都不会改变任何东西.实际上,我几乎是肯定的,它没有改变任何东西!这是我的conf文件,它现在就位于该位置.
Normally you're supposed to leave the system.conf
file in-tact and add your permissions "punch out" config file in the system.d
directory. I have done this, but it does not seem to change anything, regardless with how open I make the permissions. In fact I'm almost positive it's not changing anything! Here is my conf file as it sits right this moment.
<!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy user="myUser">
<allow own="*"/>
<allow own="org.dbus.arduino"/>
<allow send_type="method_call" log="true"/>
</policy>
<policy user="root">
<allow own="*"/>
<allow own="org.dbus.arduino"/>
<allow send_type="method_call" log="true"/>
</policy>
<policy context="default">
</policy>
</busconfig>
即使我执行此操作或类似操作,它仍然不起作用.
Even if I do this or things like it, it STILL doesn't work.
<busconfig>
<policy context="default">
<allow own="*"/>
<allow own="org.dbus.arduino"/>
<allow send_type="method_call" log="true"/>
</policy>
</busconfig>
我什至把文件名以z开头,以便它可能是最后一个被读入的文件.这是system.conf文件,请注意我在允许自己的"部分注释掉了.这是使它正常工作的唯一方法(也是最糟糕的修复").
I even put the name of the file starting with a z so that it may be the very last one that is read in. Here is the system.conf file, note where I have commented out the "allow own" section. This is the ONLY way to get this to work (and the worst possible "fix").
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<!-- Our well-known bus type, do not change this -->
<type>system</type>
<!-- Run as special user -->
<user>messagebus</user>
<!-- Fork into daemon mode -->
<fork/>
<!-- We use system service launching using a helper -->
<standard_system_servicedirs/>
<!-- This is a setuid helper that is used to launch system services -->
<servicehelper>/lib/dbus-1/dbus-daemon-launch-helper</servicehelper>
<!-- Write a pid file -->
<pidfile>/var/run/dbus/pid</pidfile>
<!-- Enable logging to syslog -->
<syslog/>
<!-- Only allow socket-credentials-based authentication -->
<auth>EXTERNAL</auth>
<!-- Only listen on a local socket. (abstract=/path/to/socket
means use abstract namespace, don't really create filesystem
file; only Linux supports this. Use path=/whatever on other
systems.) -->
<listen>unix:path=/var/run/dbus/system_bus_socket</listen>
<policy context="default">
<!-- All users can connect to system bus -->
<allow user="*"/>
<!-- Holes must be punched in service configuration files for
name ownership and sending method calls -->
<deny own="*"/>
<deny send_type="method_call" log="true"/>
<!-- THIS IS THE ONLY WAY TO GET THIS TO WORK
<allow own="*"/>
<allow send_type="method_call" log="true"/>
-->
<!-- Signals and reply messages (method returns, errors) are allowed
by default -->
<allow send_type="signal"/>
<allow send_requested_reply="true" send_type="method_return"/>
<allow send_requested_reply="true" send_type="error"/>
<!-- All messages may be received by default -->
<allow receive_type="method_call"/>
<allow receive_type="method_return"/>
<allow receive_type="error"/>
<allow receive_type="signal"/>
<!-- Allow anyone to talk to the message bus -->
<allow send_destination="org.freedesktop.DBus"/>
<!-- But disallow some specific bus services -->
<deny send_destination="org.freedesktop.DBus"
send_interface="org.freedesktop.DBus"
send_member="UpdateActivationEnvironment"/>
</policy>
<!-- Config files are placed here that among other things, punch
holes in the above policy for specific services. -->
<includedir>system.d</includedir>
<!-- This is included last so local configuration can override what's
in this standard file -->
<include ignore_missing="yes">system-local.conf</include>
<include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include>
</busconfig>
我绝对必须使用系统总线,因为我将其部署在没有GUI的Raspberry Pi上(没有x11,也没有会话总线).我只能通过完全允许系统总线上的所有内容来使Raspberry Pi正常工作(安全性在该设备上几乎没有什么大不了的).显然,我不允许这种情况在我的开发机器上发生.作为背景,我使用的是Opensuse 12.2,而Raspberry Pi是Debian Squeeze.我不能用我的用户帐户或root来拥有该服务,除非我完全打开权限,在这种情况下,它就可以正常工作.我还将注意到,当我完全打开系统总线时,仍然必须使用root将消息发送到守护程序(终止命令).我希望该解决方案能够通过具有root用户访问权限的特定用户来运行.我也同意该解决方案,只允许同一用户和root用户向其发送消息.
I absolutely have to use the System bus because I am deploying it on a Raspberry Pi without a GUI, (no x11, and no session bus). I was able to get the Raspberry Pi working only by completely allowing everything on the system bus (security is not nearly as big of a deal on this device). Obviously, there is no way I'm allowing that to occur on my development machine. As background I am using Opensuse 12.2 and the Raspberry Pi is Debian Squeeze. I cannot own the service with my user account, nor root, unless I completely open the permissions up, in that case it works just fine. I will also note that when I completely opened up the system bus, I still had to use root to send messages to the daemon (a terminate command). I'd like the solution to be able to be runnable via a particular user with root having access as well. I am also OK with the solution only allowing the same user and root to send messages to it.
感谢您的帮助,我确定这是一个小问题!
Thanks for any help I'm sure it's a small issue!
推荐答案
我终于找到了问题.当Dbus寻找配置文件以打消权限(如所有权)时,该文件不仅必须位于system.d/中,而且还必须以.conf结尾.
I finally found the issue. When Dbus looks for configuration files for punching out permissions (like ownerships) the file not only must be in system.d/ but it must also end in .conf.
我的配置文件"org.dbus.arduino"应该是"org.dbus.arduino.conf".我从system.conf中删除了代码.确认我不再具有权限,在"system.d/org.dbus.arduino.conf"中创建了一个配置文件,我被授予了权限.然后,我尝试将文件重命名为"org.dbus.arduino",并确认权限被拒绝.
My configuration file "org.dbus.arduino" should have been "org.dbus.arduino.conf". I removed the code from system.conf. Confirmed I no longer had permissions, created a configuration file at "system.d/org.dbus.arduino.conf", I was granted permissions. I then attempted to rename the file to just "org.dbus.arduino" and confirmed the permissions were denied.
这篇关于系统D-Bus不允许使用conf文件来打孔所有权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!