(转载)D-BUS System Activation

 

D-BUS System Activation

Introduction:

The dbus-daemon runs as the dbus user, and is therefore unprivileged.
Earlier attempts [1] by David Zeuthen at launching system scripts using a
custom DBUS protocol were reviewed, but deemed too difficult to audit, and
also due to a multi-threaded design, too difficult to test.
In the next few paragraphs I will outline a simpler setuid approach for
launching daemons as a configured user.

Scope:

Launching programs using dbus has been a topic of interest for many months.
This would allow simple systems to only start services that are needed,
and that are automatically started only when first requested.
This removes the need for an init system, and means that we can trivially
startup services in parallel.
This has immediate pressing need for OLPC, with a longer term evaluation for
perhaps Fedora and RHEL.

Details:

Setuid applications have to used only when absolutely necessary.
In this implementation I have an single executable,
dbus-daemon-launch-helper, with the ownership root:dbus.
This has the permissions 4750, i.e. u+rwx g+rx +setuid.
It is located in /usr/libexec/ and thus is not designed to be invoked by a
user directly.

The helper must not be passed input that can be changed maliciously, and
therefore passing a random path with user id is totally out of the question.
In this implementation a similar idea as discussed with Davids' patch was
taken, that to pass a single name argument to the helper.
The service filename of "org.me.test.service" is then searched for in
/usr/share/dbus-1/system-services or other specified directories.

If applications want to be activated on the system _and_ session busses, then
service files should be installed in both directories.

A typical service file would look like:

[D-BUS Service]
Name=org.me.test
Exec=/usr/sbin/dbus-test-server.py
User=ftp

This gives the user to switch to, and also the path of the executable.
The service name must match that specified in the /etc/dbus-1/system.d conf file.

Precautions taken:

* Only the bus name is passed to the helper, and this is validated
* We are super paranoid about the user that called us, and what permissions we have.
* We clear all environment variables except for DBUS_VERBOSE which is used for debugging
* Anything out of the ordinary causes the helper to abort.

Launching services:

Trivial methods on services can be called directly and the launch helper will
start the service and execute the method on the service. The lauching of the
service is completely transparent to the caller, e.g.:

dbus-send --system --print-reply			/
	--dest=org.freedesktop.Hal			/
	/org/freedesktop/Hal/Manager			/
	org.freedesktop.Hal.Manager.DeviceExists	/
	string:/org/freedesktop/Hal/devices/computer

If you wish to activate the service without calling a well known method,
the standard dbus method StartServiceByName can be used:

dbus-send --system --print-reply			/
	--dest=org.freedesktop.DBus			/
	/org/freedesktop/DBus				/
	org.freedesktop.DBus.StartServiceByName		/
	string:org.freedesktop.Hal uint32:0

[1] http://lists.freedesktop.org/archives/dbus/2006-October/006096.html

源地址：

http://cgit.freedesktop.org/dbus/dbus/tree/doc/system-activation.txt?id=HEAD

有几个点要特别注意：

1. ".service"文件的前缀要和服务名一致。helper程序从dbus-daemon接收到请求的服务名，然后据此到system-services目录下查找对应的

.service文件。system-services目录既可以是/usr/share/dbus-1/system-services也可以是/usr/local/share/dbus-1/system-services。

2. “.service”文件中要指定User。

3. “.conf”文件安装到/etc/dbus-1/system.d目录下。system bus deamon不仅从/etc/dbus-1/system.conf读取配置信息，而且会到

includedir指定的目录下加载配置文件。includedir默认只包含system.d。