2017-03-01 16:35:47

by Travis Griggs

[permalink] [raw]
Subject: Allow non-root user to access BLE DBus interface (systemd)

This is not directly bluez/ble related, but rather derived from their =
use. I=E2=80=99ve been prototyping my BLE peripheral behavior running as =
root. Now I=E2=80=99m hardening things and partitioning the BLE app to a =
non-root user. My service now errors out with the following:

dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: =
Rejected send message, 2 matched rule
s; type=3D"method_call", sender=3D":1.6797" (uid=3D107 pid=3D17300 =
comm=3D"/usr/bin/python3 -u /opt/pilot/bleMainloop ") =
interface=3D"org.freedesktop.DBus.Objec
tManager" member=3D"GetManagedObjects" error name=3D"(unset)" =
requested_reply=3D"0" destination=3D":1.2" (uid=3D0 pid=3D1373 =
comm=3D"/usr/lib/bluetooth/bluetoothd
-d -E --noplugin=3D* =E2=80=9C)

I see that there=E2=80=99s a bluetooth.conf in /etc/dbus-1/system.d. Do =
I need to tune something in this file to allow my app to still use the =
BLE DBus services? Any examples or pointers would be appreciated.

(sorry if this ended up a repeat post)=


2017-03-06 23:44:06

by Travis Griggs

[permalink] [raw]
Subject: Re: Allow non-root user to access BLE DBus interface (systemd)


> On Mar 2, 2017, at 12:01 AM, Luiz Augusto von Dentz =
<[email protected]> wrote:
>=20
> Hi Travis,
>=20
> On Wed, Mar 1, 2017 at 7:27 PM, Travis Griggs <[email protected]> =
wrote:
>>=20
>>> On Mar 1, 2017, at 8:35 AM, Travis Griggs <[email protected]> =
wrote:
>>>=20
>>> This is not directly bluez/ble related, but rather derived from =
their use. I=E2=80=99ve been prototyping my BLE peripheral behavior =
running as root. Now I=E2=80=99m hardening things and partitioning the =
BLE app to a non-root user. My service now errors out with the =
following:
>>>=20
>>> dbus.exceptions.DBusException: =
org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 =
matched rule
>>> s; type=3D"method_call", sender=3D":1.6797" (uid=3D107 pid=3D17300 =
comm=3D"/usr/bin/python3 -u /opt/pilot/bleMainloop ") =
interface=3D"org.freedesktop.DBus.Objec
>>> tManager" member=3D"GetManagedObjects" error name=3D"(unset)" =
requested_reply=3D"0" destination=3D":1.2" (uid=3D0 pid=3D1373 =
comm=3D"/usr/lib/bluetooth/bluetoothd
>>> -d -E --noplugin=3D* =E2=80=9C)
>=20
> These interfaces have never been blocked, in fact that how
> bluetoothctl access BlueZ so you probably have something wrong with
> your configuration.
>=20
>>> I see that there=E2=80=99s a bluetooth.conf in /etc/dbus-1/system.d. =
Do I need to tune something in this file to allow my app to still use =
the BLE DBus services? Any examples or pointers would be appreciated.
>>>=20
>>> (sorry if this ended up a repeat post)

I was/am just using the stock debian (stretch) configuration. Except I =
modify the bluetooth.service to read:

ExecStart=3D/usr/lib/bluetooth/bluetoothd -d -E --noplugin=3D*


In the end, rather than modifying any config files though, I found that =
if add my non-root user to the bluetooth group, that things work fine. =
The mentioned config file has an entry that hinted me in that direction.=

2017-03-02 08:01:33

by Luiz Augusto von Dentz

[permalink] [raw]
Subject: Re: Allow non-root user to access BLE DBus interface (systemd)

Hi Travis,

On Wed, Mar 1, 2017 at 7:27 PM, Travis Griggs <[email protected]> wrot=
e:
>
>> On Mar 1, 2017, at 8:35 AM, Travis Griggs <[email protected]> wrote=
:
>>
>> This is not directly bluez/ble related, but rather derived from their us=
e. I=E2=80=99ve been prototyping my BLE peripheral behavior running as root=
. Now I=E2=80=99m hardening things and partitioning the BLE app to a non-ro=
ot user. My service now errors out with the following:
>>
>> dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: =
Rejected send message, 2 matched rule
>> s; type=3D"method_call", sender=3D":1.6797" (uid=3D107 pid=3D17300 comm=
=3D"/usr/bin/python3 -u /opt/pilot/bleMainloop ") interface=3D"org.freedesk=
top.DBus.Objec
>> tManager" member=3D"GetManagedObjects" error name=3D"(unset)" requested_=
reply=3D"0" destination=3D":1.2" (uid=3D0 pid=3D1373 comm=3D"/usr/lib/bluet=
ooth/bluetoothd
>> -d -E --noplugin=3D* =E2=80=9C)

These interfaces have never been blocked, in fact that how
bluetoothctl access BlueZ so you probably have something wrong with
your configuration.

>> I see that there=E2=80=99s a bluetooth.conf in /etc/dbus-1/system.d. Do =
I need to tune something in this file to allow my app to still use the BLE =
DBus services? Any examples or pointers would be appreciated.
>>
>> (sorry if this ended up a repeat post)
>
> The same question in another forum if you want to earn Stack points:
>
> http://unix.stackexchange.com/questions/348441/how-to-allow-non-root-syst=
emd-service-to-use-dbus-for-ble-operation--
> To unsubscribe from this list: send the line "unsubscribe linux-bluetooth=
" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html



--=20
Luiz Augusto von Dentz

2017-03-01 17:27:41

by Travis Griggs

[permalink] [raw]
Subject: Re: Allow non-root user to access BLE DBus interface (systemd)


> On Mar 1, 2017, at 8:35 AM, Travis Griggs <[email protected]> =
wrote:
>=20
> This is not directly bluez/ble related, but rather derived from their =
use. I=E2=80=99ve been prototyping my BLE peripheral behavior running as =
root. Now I=E2=80=99m hardening things and partitioning the BLE app to a =
non-root user. My service now errors out with the following:
>=20
> dbus.exceptions.DBusException: =
org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 =
matched rule
> s; type=3D"method_call", sender=3D":1.6797" (uid=3D107 pid=3D17300 =
comm=3D"/usr/bin/python3 -u /opt/pilot/bleMainloop ") =
interface=3D"org.freedesktop.DBus.Objec
> tManager" member=3D"GetManagedObjects" error name=3D"(unset)" =
requested_reply=3D"0" destination=3D":1.2" (uid=3D0 pid=3D1373 =
comm=3D"/usr/lib/bluetooth/bluetoothd
> -d -E --noplugin=3D* =E2=80=9C)
>=20
> I see that there=E2=80=99s a bluetooth.conf in /etc/dbus-1/system.d. =
Do I need to tune something in this file to allow my app to still use =
the BLE DBus services? Any examples or pointers would be appreciated.
>=20
> (sorry if this ended up a repeat post)

The same question in another forum if you want to earn Stack points:=20

=
http://unix.stackexchange.com/questions/348441/how-to-allow-non-root-syste=
md-service-to-use-dbus-for-ble-operation=