On Mon, 2022-04-04 at 08:20 +0000, Roosembert Palacios wrote:
> Hello o/
>
> I'm trying to write an ssh-askpass replacement that requires fingerprint
> authentication. I looked at the sources of fprint-verify to learn about
> the protocol with dbus, but when I call GetDefaultDevice on the manager
> I get a permission error:
>
> ‣ Type=method_call Endian=l Flags=0 Version=1 Cookie=4 Timestamp="Mon
> 2022-04-04 08:04:17.416085 UTC"
> Sender=:1.5384 Destination=:1.5384 Path=/net/reactivated/Fprint/Manager
> Interface=net.reactivated.Fprint.Manager Member=GetDefaultDevice
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
You are talking to yourself. And that is already blocked by dbus,
because you are not allowed to just talk to people on the bus as a
user.
You need to talk to "org.reactivated.Fprint".
Benjamin
> UniqueName=:1.5384
> MESSAGE "" {
> };
>
> ‣ Type=error Endian=l Flags=1 Version=1 Cookie=5 ReplyCookie=4
> Timestamp="Mon 2022-04-04 08:04:17.416148 UTC"
> Sender=org.freedesktop.DBus Destination=:1.5384
> ErrorName=org.freedesktop.DBus.Error.AccessDenied ErrorMessage="Rejected
> send message, 1 matched rules; type="method_call", sender=":1.5384" (uid=1000
> pid=1266175 comm="target/debug/fprint-test " label="kernel")
> interface="net.reactivated.Fprint.Manager" member="GetDefaultDevice" error
> name="(unset)" requested_reply="0" destination=":1.5384" (uid=1000
> pid=1266175 comm="target/debug/fprint-test " label="kernel")"
> MESSAGE "s" {
> STRING "Rejected send message, 1 matched rules; type="method_call",
> sender=":1.5384" (uid=1000 pid=1266175 comm="target/debug/fprint-test "
> label="kernel") interface="net.reactivated.Fprint.Manager"
> member="GetDefaultDevice" error name="(unset)" requested_reply="0"
> destination=":1.5384" (uid=1000 pid=1266175 comm="target/debug/fprint-test "
> label="kernel")";
> };
>
> Looked at the discussion when fprint-verify runs (since it works as
> expected) and saw that it first tried to request the name (after
> manually activating the service. When I reproduce this myself, I get
> again a permission error.
>
> ‣ Type=method_call Endian=l Flags=0 Version=1 Cookie=3 Timestamp="Sun
> 2022-04-03 23:50:14.614935 UTC"
> Sender=:1.5238 Destination=org.freedesktop.DBus Path=/org/freedesktp/DBus
> Interface=org.freedesktop.DBus Member=RequestName
> UniqueName=:1.5238
> MESSAGE "su" {
> STRING "net.reactivated.Fprint";
> UINT32 0;
> };
>
> ‣ Type=error Endian=l Flags=1 Version=1 Cookie=4 ReplyCookie=3
> Timestamp="Sun 2022-04-03 23:50:14.614999 UTC"
> Sender=org.freedesktop.DBus Destination=:1.5238
> ErrorName=org.freedesktop.DBus.Error.AccessDenied ErrorMessage="Connection
> ":1.5238" is not allowed to own the service "net.reactivated.Fprint" due to
> security policies in the configuration file"
> MESSAGE "s" {
> STRING "Connection ":1.5238" is not allowed to own the service
> "net.reactivated.Fprint" due to security policies in the configuration file";
> };
>
> I'm a complete noob with dbus, so I don't know what configuration file
> policy is denying access. By looking at the configuration under
> share/dbus-1/system.d/net.reactivated.Fprint.conf it should allow me to
> talk to the bus:
>
> <!-- Anyone can talk to the service -->
> <policy context="default">
> <allow send_destination="net.reactivated.Fprint"
> send_interface="net.reactivated.Fprint.Manager"/>
> <allow send_destination="net.reactivated.Fprint"
> send_interface="net.reactivated.Fprint.Device"/>
>
> Could you give me any hints on what I may be missing?
> The source is available here:
> https://gitlab.com/roosemberth/ssh-fprintd-askpass/-/blob/master/src/fprint.rs
>
> I'm running NixOS 22.05 (Quokka) x86_64 on Sway, in case that's relevant.
> pkgs.fprintd is installed in the system environment packages.
>
> Thanks, cheers!
>
> Roosembert Palacios
signature.asc
Description: This is a digitally signed message part
