Re: [Interest] Qt, running as root (sudo/setuid), DBus and OS X
Thiago Macieira wrote: >> My first attempts to get a privileged service to work involved exporting my >> launchd session bus socket to root, via launchctl. That worked; I think >> that's sufficient proof that root at least can connect to a lesser user's >> session bus, on OS X. > > Probably because dbus-daemon hasn't implemented obtaining the peer's UID on > macOS. The moment it does, you won't be able to. With hindsight, I think it never connected. The libdbus initialisation routines just want to have definitions for all 3 bus address types even if the client is only going to be connecting to one of them. That must be what happened here: setting the LAUNCHD_ session bus env. variable provided the only bit of required but ultimately unused information the absence of which stood in the way of successful initialisation. R. ___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
Re: [Interest] Qt, running as root (sudo/setuid), DBus and OS X
On sexta-feira, 23 de setembro de 2016 01:06:31 PDT René J. V. Bertin wrote: > Ch'Gans wrote: > >> It's not possible to connect to another user's session bus. > > > > I'm not trying to say that this is what René should do, I'm just > > saying that it is technically possible, for the sake of correctness. > > My first attempts to get a privileged service to work involved exporting my > launchd session bus socket to root, via launchctl. That worked; I think > that's sufficient proof that root at least can connect to a lesser user's > session bus, on OS X. Probably because dbus-daemon hasn't implemented obtaining the peer's UID on macOS. The moment it does, you won't be able to. If you want to connect to a user's session bus, setuid to that user first. -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel Open Source Technology Center ___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
Re: [Interest] Qt, running as root (sudo/setuid), DBus and OS X
Ch'Gans wrote: >> It's not possible to connect to another user's session bus. > I'm not trying to say that this is what René should do, I'm just > saying that it is technically possible, for the sake of correctness. My first attempts to get a privileged service to work involved exporting my launchd session bus socket to root, via launchctl. That worked; I think that's sufficient proof that root at least can connect to a lesser user's session bus, on OS X. R ___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
Re: [Interest] Qt, running as root (sudo/setuid), DBus and OS X
On 19 September 2016 at 07:56, Thiago Macieira wrote: > On sexta-feira, 16 de setembro de 2016 14:22:03 PDT René J.V. Bertin wrote: >> Hi, >> >> Is it possible to use Qt-based applications on OS X that run with elevated >> privileges (= as root), in general and > > It's possible, but not recommended. > >> if they need to connect to the user's session dbus? > > It's not possible to connect to another user's session bus. DBUS wasn't designed to allow this sort things. Although non-trivial, it is technically possible but brings a bunch of security issues and requires programs to run on both sides (the user and root in this case). It all boils down to socket bridging and port forwarding. There's a tool that would do that automatically for you (can't remember the name), but you can achieve that with socat and the likes too. I'm not trying to say that this is what René should do, I'm just saying that it is technically possible, for the sake of correctness. Chris > > -- > Thiago Macieira - thiago.macieira (AT) intel.com > Software Architect - Intel Open Source Technology Center > > ___ > Interest mailing list > Interest@qt-project.org > http://lists.qt-project.org/mailman/listinfo/interest ___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
Re: [Interest] Qt, running as root (sudo/setuid), DBus and OS X
On sexta-feira, 16 de setembro de 2016 14:22:03 PDT René J.V. Bertin wrote: > Hi, > > Is it possible to use Qt-based applications on OS X that run with elevated > privileges (= as root), in general and It's possible, but not recommended. > if they need to connect to the user's session dbus? It's not possible to connect to another user's session bus. -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel Open Source Technology Center ___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
Re: [Interest] Qt, running as root (sudo/setuid), DBus and OS X
On 18 September 2016 at 18:23, Roland Hughes wrote: > >> > > Hi, > > Is it possible to use Qt-based applications on OS X that run with elevated > privileges (= as root), in general and if they need to connect to the > user's session dbus? > > --- > > Typically you need to look at QApplication documentation. There is > something you have to set in that class BEFORE you instantiate it. If that > is not set Qt will block priv elevations. On Linux which, OS x is just the > cheaper less capable BSD, you can then use "capabilities" (forget the > correct name) library which allows a user app to temporarily elevate its > privs for certain things. > > What you're thinking of is the suid protection. It doesn't affect just running things as root. Rich. ___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
Re: [Interest] Qt, running as root (sudo/setuid), DBus and OS X
>> Hi, Is it possible to use Qt-based applications on OS X that run with elevated privileges (= as root), in general and if they need to connect to the user's session dbus? --- Typically you need to look at QApplication documentation. There is something you have to set in that class BEFORE you instantiate it. If that is not set Qt will block priv elevations. On Linux which, OS x is just the cheaper less capable BSD, you can then use "capabilities" (forget the correct name) library which allows a user app to temporarily elevate its privs for certain things. Of course, you might wish to check the myriad of "groups" a user account can belong to. Many times you can simplify things by requiring the install to have the user be added to a group. This is typical with things which access the serial port. User needs to be in dialout or modem or whatever group. This approach is actually safer than temporary boost of privs because, in theory, the app could crash while boosted leaving the user running as root. Roland ___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
[Interest] Qt, running as root (sudo/setuid), DBus and OS X
Hi, Is it possible to use Qt-based applications on OS X that run with elevated privileges (= as root), in general and if they need to connect to the user's session dbus? Cf. %> sudo -E /opt/local/bin/qdbus -qt=qt5 --system Dynamic session lookup supported but failed: launchd did not provide a socket path, verify that org.freedesktop.dbus-session.plist is loaded! Could not connect to D-Bus server: org.freedesktop.DBus.Error.NoMemory: Not enough memory Exit 1 %< Thanks, René ___ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest