Re: hostnamectl set-hostname non-admin user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Am Dienstag, dem 06.04.2021 um 16:21 +0300 schrieb Damien LEFEVRE:
> Hi,
>
> I have an embedded device and I do not install sudo. I need to have a
> non-root running the main service capable of changing the hostname.
>
> After spending a long afternoon on this I still have not managed.
>
> Here i've tried adding my new user but only read-only requests go
> through
> /usr/share/dbus-1/system.d/org.freedesktop.hostname1.conf
> ```xml
> <?xml version="1.0"?> <!--*-nxml-*-->
> <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus
> Configuration 1.0//EN"
>        
> "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd";>
>
> <!--
>   SPDX-License-Identifier: LGPL-2.1+
>
>   This file is part of systemd.
>
>   systemd is free software; you can redistribute it and/or modify it
>   under the terms of the GNU Lesser General Public License as
> published by
>   the Free Software Foundation; either version 2.1 of the License, or
>   (at your option) any later version.
> -->
>
> <busconfig>
>
>     <policy user="root">
>         <allow own="org.freedesktop.hostname1"/>
>         <allow send_destination="org.freedesktop.hostname1"/>
>         <allow receive_sender="org.freedesktop.hostname1"/>
>     </policy>
>
>     <policy user="myuser">
>         <!--<allow own="org.freedesktop.hostname1"/>-->
>         <allow send_destination="org.freedesktop.hostname1"/>
>         <allow receive_sender="org.freedesktop.hostname1"/>
>     </policy>
>
>     <policy context="default">
>         <allow send_destination="org.freedesktop.hostname1"/>
>         <allow receive_sender="org.freedesktop.hostname1"/>
>     </policy>
>
> </busconfig>
> ```
>
>
> /usr/share/polkit-1/actions/org.freedesktop.hostname1.policy
> ```xml
> <?xml version="1.0" encoding="UTF-8"?> <!--*-nxml-*-->
> <!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy
> Configuration 1.0//EN"
>         "
> http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd";>
>
> <!--
>   SPDX-License-Identifier: LGPL-2.1+
>
>   systemd is free software; you can redistribute it and/or modify it
>   under the terms of the GNU Lesser General Public License as
> published by
>   the Free Software Foundation; either version 2.1 of the License, or
>   (at your option) any later version.
> -->
>
> <policyconfig>
>
>         <vendor>The systemd Project</vendor>
>        
> <vendor_url>http://www.freedesktop.org/wiki/Software/systemd</vendor_
> url>
>
>         <action id="org.freedesktop.hostname1.set-hostname">
>                 <description gettext-domain="systemd">Set host
> name</description>
>                 <message gettext-domain="systemd">Authentication is
> required to set the local host name.</message>
>                 <defaults>
>                         <allow_any>auth_admin_keep</allow_any>
>                        
> <allow_inactive>auth_admin_keep</allow_inactive>
>                         <allow_active>auth_admin_keep</allow_active>
>                 </defaults>
>         </action>
>
>         <action id="org.freedesktop.hostname1.set-static-hostname">
>                 <description gettext-domain="systemd">Set static host
> name</description>
>                 <message gettext-domain="systemd">Authentication is
> required to set the statically configured local host name, as well as
> the pretty host name.</message>
>                 <defaults>
>                         <allow_any>auth_admin_keep</allow_any>
>                        
> <allow_inactive>auth_admin_keep</allow_inactive>
>                         <allow_active>auth_admin_keep</allow_active>
>                 </defaults>
>                 <annotate
> key="org.freedesktop.policykit.imply">org.freedesktop.hostname1.set-
> hostname org.freedesktop.hostname1.set-machine-info</annotate>
>         </action>
>
>         <action id="org.freedesktop.hostname1.set-machine-info">
>                 <description gettext-domain="systemd">Set machine
> information</description>
>                 <message gettext-domain="systemd">Authentication is
> required to set local machine information.</message>
>                 <defaults>
>                         <allow_any>auth_admin_keep</allow_any>
>                        
> <allow_inactive>auth_admin_keep</allow_inactive>
>                         <allow_active>auth_admin_keep</allow_active>
>                 </defaults>
>         </action>
>
>         <action id="org.freedesktop.hostname1.get-product-uuid">
>                 <description gettext-domain="systemd">Get product
> UUID</description>
>                 <message gettext-domain="systemd">Authentication is
> required to get product UUID.</message>
>                 <defaults>
>                         <allow_any>auth_admin_keep</allow_any>
>                        
> <allow_inactive>auth_admin_keep</allow_inactive>
>                         <allow_active>auth_admin_keep</allow_active>
>                 </defaults>
>         </action>
>
> </policyconfig>
> ```
>
> Despite all my attempts I always get 'Could not set property: Access
> denied' for hostnamectl set-hostname
>
> And get the 'org.freedesktop.DBus.Error.AccessDenied' in dbus-monitor
>
> method call time=1617739342.317948 sender=:1.23 ->
> destination=org.freedesktop.hostname1 serial=3
> path=/org/freedesktop/hostname1; interface=org.freedesktop.hostname1;
> member=SetStaticHostname
>    string "blabla"
>    boolean true
> ...
> error time=1617739342.320289 sender=:1.24 -> destination=:1.23
> error_name=org.freedesktop.DBus.Error.AccessDenied reply_serial=3
>    string "Permission denied"
>
>
> Any help would be greatly appreciated =)
>
> -Damien

Hi Damien,

you actually need to configure polkit for this. Something like
/etc/polkit-1/rules.d/49-allow-myuser-access-to-hostnamed.rules

```javascript
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.hostname1.set-hostname") {
        if (subject.user == "myuser") {
            return polkit.Result.YES;
        }
    }
});
```

Your dbus definition only says that one can define rules including such
actions.

HTH
Silvio

_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux