From 3dc37c12c17d5bb6d4701a425a4f79f6e31784ee Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Thu, 18 Feb 2021 18:36:20 +0000 Subject: systemd: add hostname fallback when polkit is not available When polkit is not available, networkd will not have permissions to call hostnamed's dbus methods, as it runs without privileges. To solve this, when building without polkit, make a new PACKAGECONFIG 'polkit_hostnamed_fallback' available which changes hostnamed so that it runs as the 'systemd-network' user, the same as networkd, so that the authorization works (and also with CAP_SYS_ADMIN since it loses root). Also run it with a separate 'systemd-hostname' group which also owns the bus, to avoid giving the 'systemd-network' additional privileges. (From OE-Core rev: 07a8f1629662d4d66d056d95be3cb9e749242274) Signed-off-by: Luca Boccassi Signed-off-by: Richard Purdie --- .../systemd/systemd/00-hostnamed-network-user.conf | 6 ++++++ .../systemd/org.freedesktop.hostname1_no_polkit.conf | 11 +++++++++++ meta/recipes-core/systemd/systemd_247.3.bb | 19 ++++++++++++++++++- 3 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-core/systemd/systemd/00-hostnamed-network-user.conf create mode 100644 meta/recipes-core/systemd/systemd/org.freedesktop.hostname1_no_polkit.conf (limited to 'meta/recipes-core') diff --git a/meta/recipes-core/systemd/systemd/00-hostnamed-network-user.conf b/meta/recipes-core/systemd/systemd/00-hostnamed-network-user.conf new file mode 100644 index 0000000000..6b224ba9b9 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/00-hostnamed-network-user.conf @@ -0,0 +1,6 @@ +[Service] +# By running with these options instead of root, networkd is allowed to request +# a hostname change via DBUS when policykit is not present +User=systemd-network +Group=systemd-hostname +AmbientCapabilities=CAP_SYS_ADMIN diff --git a/meta/recipes-core/systemd/systemd/org.freedesktop.hostname1_no_polkit.conf b/meta/recipes-core/systemd/systemd/org.freedesktop.hostname1_no_polkit.conf new file mode 100644 index 0000000000..f4d0271cdb --- /dev/null +++ b/meta/recipes-core/systemd/systemd/org.freedesktop.hostname1_no_polkit.conf @@ -0,0 +1,11 @@ + + + + + + + + + + diff --git a/meta/recipes-core/systemd/systemd_247.3.bb b/meta/recipes-core/systemd/systemd_247.3.bb index a99e543a77..59e000f1dd 100644 --- a/meta/recipes-core/systemd/systemd_247.3.bb +++ b/meta/recipes-core/systemd/systemd_247.3.bb @@ -16,6 +16,8 @@ REQUIRED_DISTRO_FEATURES = "systemd" SRC_URI += "file://touchscreen.rules \ file://00-create-volatile.conf \ + ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', 'file://org.freedesktop.hostname1_no_polkit.conf', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', 'file://00-hostnamed-network-user.conf', '', d)} \ file://init \ file://99-default.preset \ file://systemd-pager.sh \ @@ -164,6 +166,10 @@ PACKAGECONFIG[openssl] = "-Dopenssl=true,-Dopenssl=false,openssl" PACKAGECONFIG[pam] = "-Dpam=true,-Dpam=false,libpam,${PAM_PLUGINS}" PACKAGECONFIG[pcre2] = "-Dpcre2=true,-Dpcre2=false,libpcre2" PACKAGECONFIG[polkit] = "-Dpolkit=true,-Dpolkit=false" +# If polkit is disabled and networkd+hostnamed are in use, enabling this option and +# using dbus-broker will allow networkd to be authorized to change the +# hostname without acquiring additional privileges +PACKAGECONFIG[polkit_hostnamed_fallback] = ",,,,dbus-broker,polkit" PACKAGECONFIG[portabled] = "-Dportabled=true,-Dportabled=false" PACKAGECONFIG[qrencode] = "-Dqrencode=true,-Dqrencode=false,qrencode,,qrencode" PACKAGECONFIG[quotacheck] = "-Dquotacheck=true,-Dquotacheck=false" @@ -306,6 +312,15 @@ do_install() { fi fi + # If polkit is not available and a fallback was requested, install a drop-in that allows networkd to + # request hostname changes via DBUS without elevating its privileges + if ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', 'true', 'false', d)}; then + install -d ${D}${systemd_unitdir}/system/systemd-hostnamed.service.d/ + install -m 0644 ${WORKDIR}/00-hostnamed-network-user.conf ${D}${systemd_unitdir}/system/systemd-hostnamed.service.d/ + install -d ${D}${datadir}/dbus-1/system.d/ + install -m 0644 ${WORKDIR}/org.freedesktop.hostname1_no_polkit.conf ${D}${datadir}/dbus-1/system.d/ + fi + # create link for existing udev rules ln -s ${base_bindir}/udevadm ${D}${base_sbindir}/udevadm @@ -370,7 +385,8 @@ USERADD_PACKAGES = "${PN} ${PN}-extra-utils \ ${@bb.utils.contains('PACKAGECONFIG', 'microhttpd', '${PN}-journal-remote', '', d)} \ ${@bb.utils.contains('PACKAGECONFIG', 'journal-upload', '${PN}-journal-upload', '', d)} \ " -GROUPADD_PARAM_${PN} = "-r systemd-journal" +GROUPADD_PARAM_${PN} = "-r systemd-journal;" +GROUPADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', '-r systemd-hostname;', '', d)}" USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'coredump', '--system -d / -M --shell /sbin/nologin systemd-coredump;', '', d)}" USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'networkd', '--system -d / -M --shell /sbin/nologin systemd-network;', '', d)}" USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'polkit', '--system --no-create-home --user-group --home-dir ${sysconfdir}/polkit-1 polkitd;', '', d)}" @@ -589,6 +605,7 @@ FILES_${PN} = " ${base_bindir}/* \ ${datadir}/dbus-1/system.d/org.freedesktop.network1.conf \ ${datadir}/dbus-1/system.d/org.freedesktop.resolve1.conf \ ${datadir}/dbus-1/system.d/org.freedesktop.systemd1.conf \ + ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', '${datadir}/dbus-1/system.d/org.freedesktop.hostname1_no_polkit.conf', '', d)} \ ${datadir}/dbus-1/system.d/org.freedesktop.hostname1.conf \ ${datadir}/dbus-1/system.d/org.freedesktop.login1.conf \ ${datadir}/dbus-1/system.d/org.freedesktop.timesync1.conf \ -- cgit v1.2.3-54-g00ecf