Thank you for the answers, I am working on an embedded system and the polkit is not installed (not enabled at all in yocto build).
I have a systemd service that run as a normal user and for some use case it requires to do a reboot
I simulate it just for now as a dbus-send as shown below (just for debug - dbus-send will be replaced by a binary which will do the reboot)
Previously the guest user was in sudoers (so to run reboot the systemd service uses "sudo") but actually our customer wants to remove the guest user from sudoers.
Adding capabilities doesn't give me required permissions
[Service]
User=guest
ExecStart=dbus-send --system --print-reply --dest=org.freedesktop.systemd1 /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager.StartUnit string:reboot.target string:replace-irreversibly
AmbientCapabilities=CAP_SYS_BOOT CAP_SYS_ADMIN
CapabilityBoundingSet=CAP_SYS_BOOT CAP_SYS_ADMIN
User=guest
ExecStart=dbus-send --system --print-reply --dest=org.freedesktop.systemd1 /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager.StartUnit string:reboot.target string:replace-irreversibly
AmbientCapabilities=CAP_SYS_BOOT CAP_SYS_ADMIN
CapabilityBoundingSet=CAP_SYS_BOOT CAP_SYS_ADMIN
[Install]
WantedBy=multi-user.target
WantedBy=multi-user.target
Thank,
Mohamed Ali
Le mar. 30 nov. 2021 à 10:37, Colin Guthrie <gmane@xxxxxxxxxxxxxx> a écrit :
Mantas Mikulėnas wrote on 30/11/2021 08:42:
> On Tue, Nov 30, 2021 at 10:11 AM Mohamed Ali Fodha
> <fodha.mohamed.ali@xxxxxxxxx <mailto:fodha.mohamed.ali@xxxxxxxxx>> wrote:
>
> Hello,
>
> I want to run reboot as normal user using the following command:
> dbus-send --system --print-reply --reply-timeout=2000
> --type=method_call --dest=org.freedesktop.login1
> /org/freedesktop/login1 org.freedesktop.login1.Manager.Reboot
> boolean:false
>
> but I got a Permission denied error.
>
> I checked that verify_shutdown_creds (in logind-dbus.c) calls
> bus_verify_polkit_async, could it be the reason why I got permission
> denied error while polkit is not installed?
>
>
> Yes. Polkit is the authorization system that decides whether to allow
> normal users to do privileged actions or not.
>
> I don't want to use Polkit or sudo, is there any solution ?
>
> No.
When you say you don't want to use polkit, are you just saying you want
to run dbus-send directly rather than prefixing it with pkexec or that
you really don't want polkit installed at all?
If you don't mind having polkit installed and configured (doesn't have
to run all the time) then running dbus-send as above will just work as
you want (no need to run it via a pkexec wrapper). That's literally the
job of polkit - to allow certain privileged operations to users.
If this isn't what you want you'll need to write your own suid wrapper
binary that calls the commands for you.
Col
