D-Bus

D-Bus is the systemd-affiliated "message bus". It's basically a baroque IPC mechanism transported over UNIX domain sockets, with a "hub" process in the middle.

We're required to use it in order to programmatically do what machinectl shell does, which lets us open new session the right way, either on the host or in containers. The ability to use D-Bus will be sandboxed and privilege separated.

As this allows our service to start shells as arbitrary users, it requires elevated privileges. Instead of running as root, or needing CAP_ADMIN, we instead simply configure our system account to be allowed to do that. This happens in two steps.

  1. Tell dbus-daemon to let us make the relevant D-Bus method call, via /usr/share/dbus-1/system.d/50-tere.conf.
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
 <policy group="tere-dbus">
  <allow
        send_type="method_call"
        send_destination="org.freedesktop.machine1"
        send_path="/org/freedesktop/machine1"
        send_interface="org.freedesktop.machine1.Manager"
        send_member="OpenMachineShell"
        max_fds="0"
        />
 </policy>
</busconfig>

# systemctl reload dbus.service
  1. dbus-daemon confirms that this is allowed via polkit, yet another service. Allow it via /usr/share/polkit-1/rules.d/50-tere.rules.
polkit.addRule(function (action, subject) {
  if ((action.id == "org.freedesktop.machine1.host-shell" ||
    action.id == "org.freedesktop.machine1.shell") &&
    subject.groups.includes("tere-dbus") {
    return polkit.Result.YES;
  }
});

(Reload is automatic.)

Limiting Tere sessions

A site admin can add or adjust polkit rules to suit their needs. For example, you could

  • prevent Tere from starting sessions on the host, only allow containers
  • prevent Tere from starting sessions as root (or any system account)
  • enforce what shell program Tere starts

Starting from systemd v2471, polkit rules can use action.lookup(key), and systemd-machined defines keys machine, user, program for what session is being started.

It would be nice to be able to pass more Tere-specific metadata to the polkit rules, but that won't happen without systemd-machined changes.

1

See commit 09364a.

Resources

https://www.freedesktop.org/wiki/Software/dbus/

https://dbus.freedesktop.org/doc/dbus-specification.html

https://dbus.freedesktop.org/doc/dbus-daemon.1.html