Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
DBus, PolicyKit and YaSTIng. Ladislav Slezák <lslezak@novell.com>YaST Developer
DBus
© Novell, Inc. All rights reserved.3DBus• What is DBus?– Local interprocess communication (IPC)– Message based (sends mess...
© Novell, Inc. All rights reserved.4DBus• Why?– Unified communication for desktop replacing DCOP (KDE)and CORBA (GNOME)– F...
© Novell, Inc. All rights reserved.5DBus Concepts• Object oriented view– DBus services provides objects– But OOP is not re...
© Novell, Inc. All rights reserved.6DBus parts• DBus daemon– Runs a bus, processes and routes the messages• DBus library (...
© Novell, Inc. All rights reserved.7DBus Terminology• Bus– The place for transferring the messages– Multiple buses can run...
© Novell, Inc. All rights reserved.8DBus Terminology• Connection/Service name– Unique ID (:1.42, assigned by DBus) or well...
© Novell, Inc. All rights reserved.9DBus TerminologyService org.freedesktop.PowerManagementObject /org/freedesktop/PowerMa...
© Novell, Inc. All rights reserved.10DBus Message• Message types– Method call– Method reply– Error– Signal (1:N publish/su...
© Novell, Inc. All rights reserved.11Object Introspection• Query available objects in a service• Runtime object browsing• ...
© Novell, Inc. All rights reserved.12Service Activation• DBus service– can be provided by a running application– can start...
© Novell, Inc. All rights reserved.13Access Control• Its possible to allow or deny access to a specificobject, interface, ...
© Novell, Inc. All rights reserved.14Python Example• Method call exampleimport dbusbus = dbus.SessionBus()obj = bus.get_ob...
© Novell, Inc. All rights reserved.15GUI Tools – qdbusviewer
© Novell, Inc. All rights reserved.16GUI Tools – kdbus
© Novell, Inc. All rights reserved.17Command line tools• dbus-send– Sends a message• dbus-monitor– Monitors activity on a ...
© Novell, Inc. All rights reserved.18DBus Documentation• Introduction to DBus– http://www.freedesktop.org/wiki/Introductio...
PolicyKit
© Novell, Inc. All rights reserved.20PolicyKit• Framework for central policy management ofprivileged operations– In contra...
© Novell, Inc. All rights reserved.21PolicyKit Model• Application is split to privileged and unprivileged part,each part r...
© Novell, Inc. All rights reserved.22PolicyKit Modelhttp://hal.freedesktop.org/docs/PolicyKit/diagram-bus-model.png
© Novell, Inc. All rights reserved.23Mechanism• Runs as a privileged user• Parts of mechanism– Decider part – checkswhethe...
© Novell, Inc. All rights reserved.24Input for Decision• Subject– Attributes of the requester – UID, application, local or...
© Novell, Inc. All rights reserved.25Authorization Check• Also the unprivileged part may check whether it can dothe privil...
© Novell, Inc. All rights reserved.26How to Obtain an Authorization• User is allowed to do action– By default (defined in ...
© Novell, Inc. All rights reserved.27Authentication• Authentication agent is a DBus service(org.freedesktop.PolicyKit.Auth...
© Novell, Inc. All rights reserved.28Workflow• HAL example• Mount request senthttp://hal.freedesktop.org/docs/PolicyKit/di...
© Novell, Inc. All rights reserved.29Workflow• An exception is returned • The user authenticates
© Novell, Inc. All rights reserved.30Workflow• A token is written to DB • The second attept is OK
© Novell, Inc. All rights reserved.31Command Line Tools• polkit-auth– Manage authorizations – display, obtain, revoke...• ...
© Novell, Inc. All rights reserved.32PolicyKit Documentation• Design, API reference manual, tools...– http://hal.freedeskt...
YaST DBus Service
© Novell, Inc. All rights reserved.34YaST DBus Service• Access the YaST functionality from other applications• Needed for ...
© Novell, Inc. All rights reserved.35YaST DBus Service• Package yast2-dbus-server• Service org.opensuse.YaST.modulesrunnin...
© Novell, Inc. All rights reserved.36Solved Problems• PolicyKit action ID– Created from function name– Checked before func...
Questions?
Thank you!
DBus PolicyKit and YaST
Upcoming SlideShare
Loading in …5
×

DBus PolicyKit and YaST

762 views

Published on

Published in: Technology
  • Be the first to comment

DBus PolicyKit and YaST

  1. 1. DBus, PolicyKit and YaSTIng. Ladislav Slezák <lslezak@novell.com>YaST Developer
  2. 2. DBus
  3. 3. © Novell, Inc. All rights reserved.3DBus• What is DBus?– Local interprocess communication (IPC)– Message based (sends messages, not streams)– Messages are transferred in binary form– Supports 1:1 and 1:N communication
  4. 4. © Novell, Inc. All rights reserved.4DBus• Why?– Unified communication for desktop replacing DCOP (KDE)and CORBA (GNOME)– For communication between desktop applications or betweendesktop applications and system daemons, for handlingsystem events...
  5. 5. © Novell, Inc. All rights reserved.5DBus Concepts• Object oriented view– DBus services provides objects– But OOP is not required, service can be written in C• Data types– Basic data types: integer, string, boolean...– Containers: array, hash, structure, variant> Containers can be recursive
  6. 6. © Novell, Inc. All rights reserved.6DBus parts• DBus daemon– Runs a bus, processes and routes the messages• DBus library (libdbus)– Low-level C API• Language bindings– High-level API for Python, Ruby, Qt, Glib …– Wrappers for low-level C calls– Conversion between native and DBus data types– May provide object proxy for mapping native objects(GObject, QObject,...) and signals to DBus objects and signals
  7. 7. © Novell, Inc. All rights reserved.7DBus Terminology• Bus– The place for transferring the messages– Multiple buses can run in parallel> System wide bus – single bus for system wide events and services, runsunder a system user (non-root)> Session bus – one per user session, for desktop applications, created atlogin, runs with user privileges> Private bus – special separate bus can be started by applications
  8. 8. © Novell, Inc. All rights reserved.8DBus Terminology• Connection/Service name– Unique ID (:1.42, assigned by DBus) or well-known(org.freedesktop.PowerManagement, defined by service)• Object path in object tree– /org/freedesktop/PowerManagement• Interface name– Named group of methods and signals,org.freedesktop.PowerManagement• Method name– Suspend
  9. 9. © Novell, Inc. All rights reserved.9DBus TerminologyService org.freedesktop.PowerManagementObject /org/freedesktop/PowerManagementBusInterface org.freedesktop.PowerManagementMethod Suspend()
  10. 10. © Novell, Inc. All rights reserved.10DBus Message• Message types– Method call– Method reply– Error– Signal (1:N publish/subscribe communication)• Header– Type, destination service, target object, method, sender,serial number, data type signature...• Data– Arguments in binary form
  11. 11. © Novell, Inc. All rights reserved.11Object Introspection• Query available objects in a service• Runtime object browsing• Needed by language proxies and DBus browsers
  12. 12. © Novell, Inc. All rights reserved.12Service Activation• DBus service– can be provided by a running application– can start be started on demand> Started service can continue running, it can exit immediately or exit after atimeout
  13. 13. © Novell, Inc. All rights reserved.13Access Control• Its possible to allow or deny access to a specificobject, interface, method, signal...
  14. 14. © Novell, Inc. All rights reserved.14Python Example• Method call exampleimport dbusbus = dbus.SessionBus()obj = bus.get_object(org.freedesktop.PowerManagement,/org/freedesktop/PowerManagement)iface = dbus.Interface(obj,org.freedesktop.PowerManagement)result = iface.CanHibernate()print result
  15. 15. © Novell, Inc. All rights reserved.15GUI Tools – qdbusviewer
  16. 16. © Novell, Inc. All rights reserved.16GUI Tools – kdbus
  17. 17. © Novell, Inc. All rights reserved.17Command line tools• dbus-send– Sends a message• dbus-monitor– Monitors activity on a bus• qdbus– DBus browsing, sending messages
  18. 18. © Novell, Inc. All rights reserved.18DBus Documentation• Introduction to DBus– http://www.freedesktop.org/wiki/IntroductionToDBus• DBus tutorial– http://dbus.freedesktop.org/doc/dbus-tutorial.html• DBus FAQ– http://dbus.freedesktop.org/doc/dbus-faq.html• Low-level C API– http://dbus.freedesktop.org/doc/dbus/api/html/group__DBus.html• C example– http://dbus.freedesktop.org/doc/dbus/libdbus-tutorial.html
  19. 19. PolicyKit
  20. 20. © Novell, Inc. All rights reserved.20PolicyKit• Framework for central policy management ofprivileged operations– In contrast to /etc/sudoers, user group management...• Extends DBus security model – more fine grainedprivileges– User can mount removable media, but cannot mount fixedmedia– User can shutdown the machine from a local session
  21. 21. © Novell, Inc. All rights reserved.21PolicyKit Model• Application is split to privileged and unprivileged part,each part runs in a different process– For security reasons the privileged part should be as small aspossible– The privileged part is called “Mechanism”• These parts communicate via IPC (DBus, pipes, ...)
  22. 22. © Novell, Inc. All rights reserved.22PolicyKit Modelhttp://hal.freedesktop.org/docs/PolicyKit/diagram-bus-model.png
  23. 23. © Novell, Inc. All rights reserved.23Mechanism• Runs as a privileged user• Parts of mechanism– Decider part – checkswhether the requester isallowed to call the actionpart– Action part – carries out theprivileged action• The action is performedonly when the deciderpart says “Yes”RequestMechanismAllowed?Do ActionError
  24. 24. © Novell, Inc. All rights reserved.24Input for Decision• Subject– Attributes of the requester – UID, application, local or remotesession, active session...• Object– Removable device, Package, Power management...• Action– What to do with the object– Mount the device, install the package, reboot the system...• PolicyKit encodes object and action to single Action ID– e.g. org.freedesktop.hal.storage.mount-removable
  25. 25. © Novell, Inc. All rights reserved.25Authorization Check• Also the unprivileged part may check whether it can dothe privileged operation– Disabled or locked options in UI
  26. 26. © Novell, Inc. All rights reserved.26How to Obtain an Authorization• User is allowed to do action– By default (defined in configuration file)– Under a special condition (e.g. active session)– Administrator grants the authorization to the user– Obtains the authorization via authentication
  27. 27. © Novell, Inc. All rights reserved.27Authentication• Authentication agent is a DBus service(org.freedesktop.PolicyKit.AuthenticationAgent)
  28. 28. © Novell, Inc. All rights reserved.28Workflow• HAL example• Mount request senthttp://hal.freedesktop.org/docs/PolicyKit/diagram-interaction.png• Check the authorization
  29. 29. © Novell, Inc. All rights reserved.29Workflow• An exception is returned • The user authenticates
  30. 30. © Novell, Inc. All rights reserved.30Workflow• A token is written to DB • The second attept is OK
  31. 31. © Novell, Inc. All rights reserved.31Command Line Tools• polkit-auth– Manage authorizations – display, obtain, revoke...• polkit-action– List actions, modify defaults• polkit-policy-file-validate– A validation tool for .policy files, should be called frommake check• polkit-policy-file-validate– Validates /etc/PolicyKit/PolicyKit.conf file
  32. 32. © Novell, Inc. All rights reserved.32PolicyKit Documentation• Design, API reference manual, tools...– http://hal.freedesktop.org/docs/PolicyKit/index.html– Package PolicyKit-doc
  33. 33. YaST DBus Service
  34. 34. © Novell, Inc. All rights reserved.34YaST DBus Service• Access the YaST functionality from other applications• Needed for WebYaSTWhy DBus?• Auto start (no running daemon)• Starts YaST as root user (no SUID flag)Why PolicyKit?• Admin tools available
  35. 35. © Novell, Inc. All rights reserved.35YaST DBus Service• Package yast2-dbus-server• Service org.opensuse.YaST.modulesrunning on the system bus• Object /org/opensuse/YaST/modules/<module>• Interface org.opensuse.YaST.Values• The service is started automatically• Shuts down after 2 minutes
  36. 36. © Novell, Inc. All rights reserved.36Solved Problems• PolicyKit action ID– Created from function name– Checked before function call• Stateful YaST modules– Stateless wrappers (YaPI)– Lock(), Unlock() methods• YaST module autoloading– No need to load all YaST modules• YCP data types and special values– Additional interface• Bugfixes in Ruby DBus bindings
  37. 37. Questions?
  38. 38. Thank you!

×