系统dbus不允许使用conf文件冲出所有权 [英] System dbus does not allow punching out ownership with conf files

问题描述

我想创建一个在系统总线上运行的守护程序服务，其中从此服务发送和接收的权限应完全向任何人开放。 （安全不是这个服务的关注点）。当我尝试使用QtDbus注册服务（使用PyQt为它）我得到这个错误：连接：1.0不允许拥有服务org.dbus.arduino由于安全策略在配置文件 。这个其他堆栈溢出有相同的错误，但是在这种情况下根本没有帮助的原因。 dbus_bus_request_name（）：不允许连接拥有服务。

I am trying to create a daemon service that runs on the system bus where the permissions for sending and receiving from this service should be completely open to anybody. (Security is not a concern for this service). When I attempt to register the service using QtDbus (using the PyQt for it) I get this error: "Connection ":1.0" is not allowed to own the service "org.dbus.arduino" due to security policies in the configuration file". This other stack overflow has the same error, but does not help at all in this situation for some reason. dbus_bus_request_name (): Connections are not allowed to own the service.

通常，您应该离开system.conf文件并添加您的权限打孔配置文件system.d目录。我做了这个，但它似乎没有改变任何东西，无论我如何开放我做的权限。事实上，我几乎是积极的，它不改变任何东西！这是我的conf文件，因为它坐在这一刻。

Normally you're supposed to leave the system.conf file in-tact and add your permissions "punch out" config file in the system.d directory. I have done this, but it does not seem to change anything, regardless with how open I make the permissions. In fact I'm almost positive its not changing anything! Here is my conf file as it sits right this moment.

<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">

<busconfig>
    <policy user="myUser">
        <allow own="*"/>
        <allow own="org.dbus.arduino"/>
        <allow send_type="method_call" log="true"/>
    </policy>                 
    <policy user="root">        
        <allow own="*"/>
        <allow own="org.dbus.arduino"/>
        <allow send_type="method_call" log="true"/>
    </policy>                         
    <policy context="default">            
    </policy>                                                     
</busconfig>                 

即使我这样做或类似的东西，它仍然不工作。

Even if I do this or things like it, it STILL doesn't work.

<busconfig>               
    <policy context="default">     
        <allow own="*"/>
        <allow own="org.dbus.arduino"/>
        <allow send_type="method_call" log="true"/>       
    </policy>                                                     
</busconfig>  

我甚至把文件名以az开头，以便它可能是最后一个读入。这里是system.conf文件，注意我已经注释掉了允许自己部分。这是让这个工作的唯一方法（和最坏的可能修复）。

I even put the name of the file starting with a z so that it may be the very last one that is read in. Here is the system.conf file, note where I have commented out the "allow own" section. This is the ONLY way to get this to work (and the worst possible "fix").

<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>

  <!-- Our well-known bus type, do not change this -->
  <type>system</type>

  <!-- Run as special user -->
  <user>messagebus</user>

  <!-- Fork into daemon mode -->
  <fork/>

  <!-- We use system service launching using a helper -->
  <standard_system_servicedirs/>

  <!-- This is a setuid helper that is used to launch system services -->
  <servicehelper>/lib/dbus-1/dbus-daemon-launch-helper</servicehelper>

  <!-- Write a pid file -->
  <pidfile>/var/run/dbus/pid</pidfile>

  <!-- Enable logging to syslog -->
  <syslog/>

  <!-- Only allow socket-credentials-based authentication -->
  <auth>EXTERNAL</auth>

  <!-- Only listen on a local socket. (abstract=/path/to/socket 
       means use abstract namespace, don't really create filesystem 
       file; only Linux supports this. Use path=/whatever on other 
       systems.) -->
  <listen>unix:path=/var/run/dbus/system_bus_socket</listen>

  <policy context="default">
    <!-- All users can connect to system bus -->
    <allow user="*"/>

    <!-- Holes must be punched in service configuration files for
         name ownership and sending method calls -->
    <deny own="*"/>
    <deny send_type="method_call" log="true"/>

    <!-- THIS IS THE ONLY WAY TO GET THIS TO WORK
    <allow own="*"/>
    <allow send_type="method_call" log="true"/>
    -->



    <!-- Signals and reply messages (method returns, errors) are allowed
         by default -->
    <allow send_type="signal"/>
    <allow send_requested_reply="true" send_type="method_return"/>
    <allow send_requested_reply="true" send_type="error"/>

    <!-- All messages may be received by default -->
    <allow receive_type="method_call"/>
    <allow receive_type="method_return"/>
    <allow receive_type="error"/>
    <allow receive_type="signal"/>

    <!-- Allow anyone to talk to the message bus -->
    <allow send_destination="org.freedesktop.DBus"/>
    <!-- But disallow some specific bus services -->
    <deny send_destination="org.freedesktop.DBus"
          send_interface="org.freedesktop.DBus"
          send_member="UpdateActivationEnvironment"/>

  </policy>

  <!-- Config files are placed here that among other things, punch 
       holes in the above policy for specific services. -->
  <includedir>system.d</includedir>

  <!-- This is included last so local configuration can override what's 
       in this standard file -->
  <include ignore_missing="yes">system-local.conf</include>

  <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include>

</busconfig>

我绝对需要使用系统总线，因为我部署在没有GUI的树莓派上， （没有x11，没有会话总线）。我能够得到树莓派工作只有完全允许系统总线上的一切（安全性不是几乎一样大的这个设备上的交易）。显然，我没有办法允许这种情况发生在我的开发机器上。作为背景我使用Opensuse 12.2和树莓派是Debian Squeeze。我不能拥有我的用户帐户的服务，也不root，除非我完全打开权限，在这种情况下，它的工作正常。我还将注意到，当我完全打开系统dbus，我仍然不得不使用root发送消息到守护程序（一个terminate命令）。我想解决方案能够通过root用户访问的特定用户可运行。我也确定与解决方案只允许相同的用户和根发送消息到它。

I absolutely have to use the System bus because I am deploying it on a raspberry pi without a GUI, (no x11, and no session bus). I was able to get the raspberry pi working only by completely allowing everything on the system bus (security is not nearly as big of a deal on this device). Obviously, there is no way I'm allowing that to occur on my development machine. As background I am using Opensuse 12.2 and the raspberry pi is Debian Squeeze. I cannot own the service with my user account, nor root, unless I completely open the permissions up, in that case it works just fine. I will also note that when I completely opened up the system dbus, I still had to use root to send messages to the daemon (a terminate command). I'd like the solution to be able to be runnable via a particular user with root having access as well. I am also ok with the solution only allowing the same user and root to send messages to it.

感谢任何帮助，我相信它的一个小问题！ p>

Thanks for any help I'm sure its a small issue!

推荐答案

我终于找到了问题。当Dbus寻找用于冲出权限（如所有权）的配置文件时，该文件不仅必须在system.d中，而且还必须以.conf结尾。

I finally found the issue. When Dbus looks for configuration files for punching out permissions (like ownerships) the file not only must be in system.d/ but it must also end in .conf.

配置文件org.dbus.arduino应该是org.dbus.arduino.conf。我从system.conf中删除了代码。确认我不再有权限，在system.d / org.dbus.arduino.conf中创建了一个配置文件，我被授予了权限。然后我试图将文件重命名为org.dbus.arduino，并确认权限被拒绝。

My configuration file "org.dbus.arduino" should have been "org.dbus.arduino.conf". I removed the code from system.conf. Confirmed I no longer had permissions, created a configuration file at "system.d/org.dbus.arduino.conf", I was granted permissions. I then attempted to rename the file to just "org.dbus.arduino" and confirmed the permissions were denied.

这篇关于系统dbus不允许使用conf文件冲出所有权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！