我正在尝试创建一个在系统总线上运行的守护程序服务,其中从该服务发送和接收的权限应该对任何人完全开放。 (此服务不关心安全性)。当我尝试使用 QtDbus 注册服务(使用 PyQt)时,出现以下错误:Connection ":1.0" is not allowed to own the service "org.dbus.arduino" due to security policies in the configuration file。其他堆栈溢出也有相同的错误,但由于某种原因在这种情况下根本没有帮助。dbus_bus_request_name (): 不允许连接拥有该服务.
通常你应该离开system.conf文件完好无损并在配置文件中添加您的权限“打孔”system.d目录。我已经这样做了,但无论我如何开放权限,它似乎都没有改变任何东西。事实上,我几乎肯定它不会改变任何东西!这是我现在的配置文件。
<!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy user="myUser">
<allow own="*"/>
<allow own="org.dbus.arduino"/>
<allow send_type="method_call" log="true"/>
</policy>
<policy user="root">
<allow own="*"/>
<allow own="org.dbus.arduino"/>
<allow send_type="method_call" log="true"/>
</policy>
<policy context="default">
</policy>
</busconfig>
即使我这样做或类似的事情,它仍然不起作用。
<busconfig>
<policy context="default">
<allow own="*"/>
<allow own="org.dbus.arduino"/>
<allow send_type="method_call" log="true"/>
</policy>
</busconfig>
我什至将文件名以 z 开头,以便它可能是最后读入的文件。这是 system.conf 文件,请注意我在其中注释掉了“允许拥有”部分。这是让它发挥作用的唯一方法(也是最糟糕的“修复”)。
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<!-- Our well-known bus type, do not change this -->
<type>system</type>
<!-- Run as special user -->
<user>messagebus</user>
<!-- Fork into daemon mode -->
<fork/>
<!-- We use system service launching using a helper -->
<standard_system_servicedirs/>
<!-- This is a setuid helper that is used to launch system services -->
<servicehelper>/lib/dbus-1/dbus-daemon-launch-helper</servicehelper>
<!-- Write a pid file -->
<pidfile>/var/run/dbus/pid</pidfile>
<!-- Enable logging to syslog -->
<syslog/>
<!-- Only allow socket-credentials-based authentication -->
<auth>EXTERNAL</auth>
<!-- Only listen on a local socket. (abstract=/path/to/socket
means use abstract namespace, don't really create filesystem
file; only Linux supports this. Use path=/whatever on other
systems.) -->
<listen>unix:path=/var/run/dbus/system_bus_socket</listen>
<policy context="default">
<!-- All users can connect to system bus -->
<allow user="*"/>
<!-- Holes must be punched in service configuration files for
name ownership and sending method calls -->
<deny own="*"/>
<deny send_type="method_call" log="true"/>
<!-- THIS IS THE ONLY WAY TO GET THIS TO WORK
<allow own="*"/>
<allow send_type="method_call" log="true"/>
-->
<!-- Signals and reply messages (method returns, errors) are allowed
by default -->
<allow send_type="signal"/>
<allow send_requested_reply="true" send_type="method_return"/>
<allow send_requested_reply="true" send_type="error"/>
<!-- All messages may be received by default -->
<allow receive_type="method_call"/>
<allow receive_type="method_return"/>
<allow receive_type="error"/>
<allow receive_type="signal"/>
<!-- Allow anyone to talk to the message bus -->
<allow send_destination="org.freedesktop.DBus"/>
<!-- But disallow some specific bus services -->
<deny send_destination="org.freedesktop.DBus"
send_interface="org.freedesktop.DBus"
send_member="UpdateActivationEnvironment"/>
</policy>
<!-- Config files are placed here that among other things, punch
holes in the above policy for specific services. -->
<includedir>system.d</includedir>
<!-- This is included last so local configuration can override what's
in this standard file -->
<include ignore_missing="yes">system-local.conf</include>
<include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include>
</busconfig>
我绝对必须使用系统总线,因为我将其部署在没有 GUI 的 Raspberry Pi 上(没有 x11,也没有会话总线)。我只能通过完全允许系统总线上的所有内容来让 Raspberry Pi 工作(安全性在该设备上并不是那么重要)。显然,我不可能允许这种情况发生在我的开发机器上。作为背景,我使用 Opensuse 12.2,Raspberry Pi 是 Debian Squeeze。我无法使用我的用户帐户或 root 拥有该服务,除非我完全开放权限,在这种情况下它工作得很好。我还要注意的是,当我完全打开系统总线时,我仍然必须使用 root 向守护进程发送消息(终止命令)。我希望该解决方案能够通过具有 root 访问权限的特定用户运行。我也同意只允许同一用户和 root 向其发送消息的解决方案。
感谢您的帮助,我确信这是一个小问题!
