How to make sd_bus_creds_has_effective_cap return success.

Hi All,

 

I would like to receive some clarity on following commit in systemd (https://github.com/systemd/systemd/commit/def9a7aa0182e5ecca3ac61b26f75136a5c4f103)

 

I was trying to run an application as non-root.

 

Currently, I am facing an issue that I am not able to make a "busctl call" from a non-root user to a D-Bus service running as root.

 

Example:

    1. Create a non-root user using  useradd command

   

    2. The following is exposed by a daemon running as root

    service - xyz.openbmc_project.xxxx

    objectpath - /xyz/openbmc_project/xxxx/get_data

    interface - xyz.openbmc_project.GetData

    method - getData

     

    3. From putty log in to BMC console and using "su nonrootuser" switch to non-root user

    

    4. Run the following command:

    busctl call xyz.openbmc_project.xxxx /xyz/openbmc_project/xxxx/get_data xyz.openbmc_project.GetData getData

   

    and we get response "Call Failed: Access denied"

 

On investigation, 'Access Denied' failure response was coming from the systemd recipe.

From file systemd\src\libsystemd\sd-bus\bus-convenience.c

method_callbacks_run->check_access fails

 

In case of root check_access->sd_bus_query_sender_privilege returns 1 because of the following condition

if (sender_uid == our_uid)   

    return 1; 

              

In case of non-root check_access->sd_bus_query_sender_privilege function returns 0 

 

I would like to understand how "return 1" can be achieved from sd_bus_query_sender_privilege function. 

Specifically the below mentioned "return 1"

 

    r = sd_bus_creds_has_effective_cap(creds, capability);

    if (r > 0)
        return 1;

 

From your commit message I can see that polkit has some role here. But I am new to polkit and any help would be appreciated 😊

 

Regards,

Arun Lal K M