Discussion:
[systemd-devel] hostnamectl set-hostname non-admin user
Damien LEFEVRE
2021-04-06 13:21:32 UTC
Permalink
Hi,

I have an embedded device and I do not install sudo. I need to have a
non-root running the main service capable of changing the hostname.

After spending a long afternoon on this I still have not managed.

Here i've tried adding my new user but only read-only requests go through
/usr/share/dbus-1/system.d/org.freedesktop.hostname1.conf
```xml
<?xml version="1.0"?> <!--*-nxml-*-->
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration
1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">

<!--
SPDX-License-Identifier: LGPL-2.1+

This file is part of systemd.

systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
-->

<busconfig>

<policy user="root">
<allow own="org.freedesktop.hostname1"/>
<allow send_destination="org.freedesktop.hostname1"/>
<allow receive_sender="org.freedesktop.hostname1"/>
</policy>

<policy user="myuser">
<!--<allow own="org.freedesktop.hostname1"/>-->
<allow send_destination="org.freedesktop.hostname1"/>
<allow receive_sender="org.freedesktop.hostname1"/>
</policy>

<policy context="default">
<allow send_destination="org.freedesktop.hostname1"/>
<allow receive_sender="org.freedesktop.hostname1"/>
</policy>

</busconfig>
```


/usr/share/polkit-1/actions/org.freedesktop.hostname1.policy
```xml
<?xml version="1.0" encoding="UTF-8"?> <!--*-nxml-*-->
<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy
Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">

<!--
SPDX-License-Identifier: LGPL-2.1+

systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
-->

<policyconfig>

<vendor>The systemd Project</vendor>
<vendor_url>http://www.freedesktop.org/wiki/Software/systemd
</vendor_url>

<action id="org.freedesktop.hostname1.set-hostname">
<description gettext-domain="systemd">Set host
name</description>
<message gettext-domain="systemd">Authentication is
required to set the local host name.</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>

<action id="org.freedesktop.hostname1.set-static-hostname">
<description gettext-domain="systemd">Set static host
name</description>
<message gettext-domain="systemd">Authentication is
required to set the statically configured local host name, as well as the
pretty host name.</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate
key="org.freedesktop.policykit.imply">org.freedesktop.hostname1.set-hostname
org.freedesktop.hostname1.set-machine-info</annotate>
</action>

<action id="org.freedesktop.hostname1.set-machine-info">
<description gettext-domain="systemd">Set machine
information</description>
<message gettext-domain="systemd">Authentication is
required to set local machine information.</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>

<action id="org.freedesktop.hostname1.get-product-uuid">
<description gettext-domain="systemd">Get product
UUID</description>
<message gettext-domain="systemd">Authentication is
required to get product UUID.</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>

</policyconfig>
```

Despite all my attempts I always get 'Could not set property: Access
denied' for hostnamectl set-hostname

And get the 'org.freedesktop.DBus.Error.AccessDenied' in dbus-monitor

method call time=1617739342.317948 sender=:1.23 ->
destination=org.freedesktop.hostname1 serial=3
path=/org/freedesktop/hostname1; interface=org.freedesktop.hostname1;
member=SetStaticHostname
string "blabla"
boolean true
...
error time=1617739342.320289 sender=:1.24 -> destination=:1.23
error_name=org.freedesktop.DBus.Error.AccessDenied reply_serial=3
string "Permission denied"


Any help would be greatly appreciated =)

-Damien
Silvio Knizek
2021-04-06 18:26:45 UTC
Permalink
Post by Damien LEFEVRE
Hi,
I have an embedded device and I do not install sudo. I need to have a
non-root running the main service capable of changing the hostname.
After spending a long afternoon on this I still have not managed.
Here i've tried adding my new user but only read-only requests go through
/usr/share/dbus-1/system.d/org.freedesktop.hostname1.conf
```xml
<?xml version="1.0"?> <!--*-nxml-*-->
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus
Configuration 1.0//EN"
       
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<!--
  SPDX-License-Identifier: LGPL-2.1+
  This file is part of systemd.
  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as
published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.
-->
<busconfig>
    <policy user="root">
        <allow own="org.freedesktop.hostname1"/>
        <allow send_destination="org.freedesktop.hostname1"/>
        <allow receive_sender="org.freedesktop.hostname1"/>
    </policy>
    <policy user="myuser">
        <!--<allow own="org.freedesktop.hostname1"/>-->
        <allow send_destination="org.freedesktop.hostname1"/>
        <allow receive_sender="org.freedesktop.hostname1"/>
    </policy>
    <policy context="default">
        <allow send_destination="org.freedesktop.hostname1"/>
        <allow receive_sender="org.freedesktop.hostname1"/>
    </policy>
</busconfig>
```
/usr/share/polkit-1/actions/org.freedesktop.hostname1.policy
```xml
<?xml version="1.0" encoding="UTF-8"?> <!--*-nxml-*-->
<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy
Configuration 1.0//EN"
        "
http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<!--
  SPDX-License-Identifier: LGPL-2.1+
  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as
published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.
-->
<policyconfig>
        <vendor>The systemd Project</vendor>
       
<vendor_url>http://www.freedesktop.org/wiki/Software/systemd</vendor_
url>
        <action id="org.freedesktop.hostname1.set-hostname">
                <description gettext-domain="systemd">Set host
name</description>
                <message gettext-domain="systemd">Authentication is
required to set the local host name.</message>
                <defaults>
                        <allow_any>auth_admin_keep</allow_any>
                       
<allow_inactive>auth_admin_keep</allow_inactive>
                        <allow_active>auth_admin_keep</allow_active>
                </defaults>
        </action>
        <action id="org.freedesktop.hostname1.set-static-hostname">
                <description gettext-domain="systemd">Set static host
name</description>
                <message gettext-domain="systemd">Authentication is
required to set the statically configured local host name, as well as
the pretty host name.</message>
                <defaults>
                        <allow_any>auth_admin_keep</allow_any>
                       
<allow_inactive>auth_admin_keep</allow_inactive>
                        <allow_active>auth_admin_keep</allow_active>
                </defaults>
                <annotate
key="org.freedesktop.policykit.imply">org.freedesktop.hostname1.set-
hostname org.freedesktop.hostname1.set-machine-info</annotate>
        </action>
        <action id="org.freedesktop.hostname1.set-machine-info">
                <description gettext-domain="systemd">Set machine
information</description>
                <message gettext-domain="systemd">Authentication is
required to set local machine information.</message>
                <defaults>
                        <allow_any>auth_admin_keep</allow_any>
                       
<allow_inactive>auth_admin_keep</allow_inactive>
                        <allow_active>auth_admin_keep</allow_active>
                </defaults>
        </action>
        <action id="org.freedesktop.hostname1.get-product-uuid">
                <description gettext-domain="systemd">Get product
UUID</description>
                <message gettext-domain="systemd">Authentication is
required to get product UUID.</message>
                <defaults>
                        <allow_any>auth_admin_keep</allow_any>
                       
<allow_inactive>auth_admin_keep</allow_inactive>
                        <allow_active>auth_admin_keep</allow_active>
                </defaults>
        </action>
</policyconfig>
```
Despite all my attempts I always get 'Could not set property: Access
denied' for hostnamectl set-hostname
And get the 'org.freedesktop.DBus.Error.AccessDenied' in dbus-monitor
method call time=1617739342.317948 sender=:1.23 ->
destination=org.freedesktop.hostname1 serial=3
path=/org/freedesktop/hostname1; interface=org.freedesktop.hostname1;
member=SetStaticHostname
   string "blabla"
   boolean true
...
error time=1617739342.320289 sender=:1.24 -> destination=:1.23
error_name=org.freedesktop.DBus.Error.AccessDenied reply_serial=3
   string "Permission denied"
Any help would be greatly appreciated =)
-Damien
Hi Damien,

you actually need to configure polkit for this. Something like
/etc/polkit-1/rules.d/49-allow-myuser-access-to-hostnamed.rules

```javascript
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.hostname1.set-hostname") {
if (subject.user == "myuser") {
return polkit.Result.YES;
}
}
});
```

Your dbus definition only says that one can define rules including such
actions.

HTH
Silvio
Damien LEFEVRE
2021-04-07 13:42:36 UTC
Permalink
Thanks Silvio! That's just what I needed.

Cheers,
-Damien
Post by Silvio Knizek
Post by Damien LEFEVRE
Hi,
I have an embedded device and I do not install sudo. I need to have a
non-root running the main service capable of changing the hostname.
After spending a long afternoon on this I still have not managed.
Here i've tried adding my new user but only read-only requests go through
/usr/share/dbus-1/system.d/org.freedesktop.hostname1.conf
```xml
<?xml version="1.0"?> <!--*-nxml-*-->
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus
Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<!--
SPDX-License-Identifier: LGPL-2.1+
This file is part of systemd.
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
-->
<busconfig>
<policy user="root">
<allow own="org.freedesktop.hostname1"/>
<allow send_destination="org.freedesktop.hostname1"/>
<allow receive_sender="org.freedesktop.hostname1"/>
</policy>
<policy user="myuser">
<!--<allow own="org.freedesktop.hostname1"/>-->
<allow send_destination="org.freedesktop.hostname1"/>
<allow receive_sender="org.freedesktop.hostname1"/>
</policy>
<policy context="default">
<allow send_destination="org.freedesktop.hostname1"/>
<allow receive_sender="org.freedesktop.hostname1"/>
</policy>
</busconfig>
```
/usr/share/polkit-1/actions/org.freedesktop.hostname1.policy
```xml
<?xml version="1.0" encoding="UTF-8"?> <!--*-nxml-*-->
<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy
Configuration 1.0//EN"
"
http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<!--
SPDX-License-Identifier: LGPL-2.1+
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
-->
<policyconfig>
<vendor>The systemd Project</vendor>
<vendor_url>http://www.freedesktop.org/wiki/Software/systemd</vendor_
url>
<action id="org.freedesktop.hostname1.set-hostname">
<description gettext-domain="systemd">Set host
name</description>
<message gettext-domain="systemd">Authentication is
required to set the local host name.</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
<action id="org.freedesktop.hostname1.set-static-hostname">
<description gettext-domain="systemd">Set static host
name</description>
<message gettext-domain="systemd">Authentication is
required to set the statically configured local host name, as well as
the pretty host name.</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate
key="org.freedesktop.policykit.imply">org.freedesktop.hostname1.set-
hostname org.freedesktop.hostname1.set-machine-info</annotate>
</action>
<action id="org.freedesktop.hostname1.set-machine-info">
<description gettext-domain="systemd">Set machine
information</description>
<message gettext-domain="systemd">Authentication is
required to set local machine information.</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
<action id="org.freedesktop.hostname1.get-product-uuid">
<description gettext-domain="systemd">Get product
UUID</description>
<message gettext-domain="systemd">Authentication is
required to get product UUID.</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
</policyconfig>
```
Despite all my attempts I always get 'Could not set property: Access
denied' for hostnamectl set-hostname
And get the 'org.freedesktop.DBus.Error.AccessDenied' in dbus-monitor
method call time=1617739342.317948 sender=:1.23 ->
destination=org.freedesktop.hostname1 serial=3
path=/org/freedesktop/hostname1; interface=org.freedesktop.hostname1;
member=SetStaticHostname
string "blabla"
boolean true
...
error time=1617739342.320289 sender=:1.24 -> destination=:1.23
error_name=org.freedesktop.DBus.Error.AccessDenied reply_serial=3
string "Permission denied"
Any help would be greatly appreciated =)
-Damien
Hi Damien,
you actually need to configure polkit for this. Something like
/etc/polkit-1/rules.d/49-allow-myuser-access-to-hostnamed.rules
```javascript
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.hostname1.set-hostname") {
if (subject.user == "myuser") {
return polkit.Result.YES;
}
}
});
```
Your dbus definition only says that one can define rules including such
actions.
HTH
Silvio
_______________________________________________
systemd-devel mailing list
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Loading...