[LEDE-DEV] Create a ubus object with a non-root account
Luis Araneda
luaraneda at gmail.com
Mon Jun 26 18:43:12 PDT 2017
Hi,
I finally had the time to dig into the source code of the ubus daemon
and find the answer.
I left it here in case anyone has the same question.
The keyword "publish" can be used in an ubus' ACL file to grant a non-root user
to create an object.
I found the keyword in the "ubusd_acl.c" file from the ubus repository.
The corrected ACL file, for my example, is:
{
"user": "ubususer1",
"access": {
"system": {
"methods": [ "board", "info" ]
},
"service": {
"methods": [ "list" ]
}
},
"publish": [ "testobj" ]
}
Cheers,
Luis Araneda.
On Wed, May 17, 2017 at 1:17 AM, Luis Araneda <luaraneda at gmail.com> wrote:
> Hi,
>
>
> I'm trying to create a ubus object using a non-root account.
>
> I've created an ACL file and put it inside the folder "/usr/share/acl.d"
>
> {
> "user": "ubususer1",
> "access": {
> "system": {
> "methods": [ "board", "info" ]
> },
> "testobj": {
> "methods": [ "say_hello", "add", "reply" ]
> },
> "service": {
> "methods": [ "list" ]
> }
> }
> }
>
> With the ACL file, the non-root account can access the methods just fine.
>
> When I try to execute the program using the non-root account,
> it fails when calling ubus_add_object(). This is the output of
> "ubus monitor":
>
> root at LEDE:~# ubus monitor
> -> 1af1ba4b #00000003 status: {"status":0}
> -> 0973710c #0973710c hello: {}
> <- 0973710c #00000000 add_object: {"objpath":"testobj",
> "signature":{"say_hello":{},
> "reply":{"msg":3},
> "add":{"a":5,"b":5}}}
> -> 0973710c #00000000 status: {"status":2}
> <- 0973710c #00000000 add_object: {}
> -> 0973710c #00000000 data: {"objid":1402562455}
> -> 0973710c #00000000 status: {"status":0}
>
> But, when I try execute the program as root, it executes correctly,
> giving this output on "ubus monitor":
>
> root at LEDE:~# ubus monitor
> -> 83090aba #00000003 status: {"status":0}
> -> 1a8c6bf2 #1a8c6bf2 hello: {}
> <- 1a8c6bf2 #00000000 add_object: {"objpath":"testobj",
> "signature":{"say_hello":{},
> "reply":{"msg":3},
> "add":{"a":5,"b":5}}}
> -> 9dc9e08c #00000000 invoke: {"objid":-723209694,
> "method":"ubus.object.add",
> "data":{"id":-235541040,"path":"testobj"}}
> -> 4bb7a57d #00000000 invoke: {"objid":-1940255602,
> "method":"ubus.object.add",
> "data":{"id":-235541040,"path":"testobj"}}
> -> 1a8c6bf2 #00000000 data: {"objid":-235541040,"objtype":1777611453}
> -> 1a8c6bf2 #00000000 status: {"status":0}
> <- 9dc9e08c #00000000 status: {"status":0,"objid":-723209694}
> <- 4bb7a57d #00000000 status: {"status":0,"objid":-1940255602}
> <- 1a8c6bf2 #00000000 add_object: {}
> -> 1a8c6bf2 #00000000 data: {"objid":752170120}
> -> 1a8c6bf2 #00000000 status: {"status":0}
>
>
> I've done some research, and I've found
> https://lists.openwrt.org/pipermail/openwrt-devel/2015-September/035514.html
> and I think the call to ubusd_acl_check() shouldn't generate an error in
> my case because I have an ACL file (assuming it is properly written)
>
> - I doing something wrong in the ACL file?
> - Is the root user the only allowed to add an object to the bus?
> - Am I missing something?
>
>
> Thanks in advance,
>
> Luis Araneda.
More information about the Lede-dev
mailing list