Re: Cannot call GetUnit method with ssh

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Mantas,

Thanks for your reply.

"Hold on – why are you whitelisting individual users for systemd.GetMethod()?  "

Sorry I am not clear your question. My intend is to add a user that fails to authenticate with DBUS in the previous email to policy config file to troubleshoot if dbus resolve it or not. But it throws "Unknown username" so I think dbus does not know anything about this user and it leads to the authenticate fails.

Brs,
Bao



On Tue, Mar 12, 2019 at 6:20 PM Mantas Mikulėnas <grawity@xxxxxxxxx> wrote:
On Tue, Mar 12, 2019 at 1:17 PM Bao Nguyen <baondt@xxxxxxxxx> wrote:
Hi again,

I tried to add the LDAP user in /etc/dbus-1/system.conf policy and then send signal SIGHUP to reload the configuration, also for dbus flush user cache, but dbus said that 

Unknown username "ldap_demo" on element <allow>
Reloaded configuration

Hold on – why are you whitelisting individual users for systemd.GetMethod()?
 

I search the source code in dbus. it will call _dbus_get_user_id_and_primary_group , then _dbus_user_database_get_system to search user ldap_demo in its database but I am not clear how this database is built. Could you please help me for that? 
Is there anyway to make dbus aware the new user except restart dbus?

 
If I restart dbus, does it have any impact to the system?

Yes; it closes all existing bus connections, which may cause many services to exit.
 

Thanks,
Brs,
Bao


On Fri, Mar 8, 2019 at 5:54 PM Lennart Poettering <lennart@xxxxxxxxxxxxxx> wrote:
On Fr, 08.03.19 11:59, Mantas Mikulėnas (grawity@xxxxxxxxx) wrote:

> > dbus policy can only reference users that are available locally at any
> > time, i.e. generally system users, not human users.
> >
> >
> Hmm, but in this case, the client seems to be completely refused access to
> the bus – not just blocked by policy from sending some message. The system
> bus normally allows any user to connect (I mean, I have no problems
> accessing it from an LDAP account), so I'm not sure why the bus config
> should matter at this point.

At this point this is probably something to move to the dbus list... I
don#t remember how precisely dbus-daemon authenticates stuff, I just
have a rough idea.

Lennart

--
Lennart Poettering, Red Hat


--
Mantas Mikulėnas
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux