machined: open up OpenMachinePTY() for unpriv clients

The method call already does a PK check, it was just forgotten to
allowlist this in the dbus policy. And in the dbus vtable for
OpenMachinePTY() call. (It was allowlisted in the per-machine
vtable…)

Anyway, clean this up.

diff --git a/man/org.freedesktop.machine1.xml b/man/org.freedesktop.machine1.xml
index 936f2ad7f27c419ad3785c9640ab2068743e59ff..e2ec4a11475772f3695eedfc83811f8740eacfee 100644 (file)
--- a/man/org.freedesktop.machine1.xml
+++ b/man/org.freedesktop.machine1.xml
@@ -94,7 +94,6 @@ node /org/freedesktop/machine1 {
                         out s ssh_private_key_path);
       GetMachineOSRelease(in  s name,
                           out a{ss} fields);
-      @org.freedesktop.systemd1.Privileged("true")
       OpenMachinePTY(in  s name,
                      out h pty,
                      out s pty_path);

diff --git a/src/machine/machined-dbus.c b/src/machine/machined-dbus.c
index 616bea54f8228b98740207e0711d03df355df851..954f20e4557c4585f2b003cf2a93a9ebe4cd0615 100644 (file)
--- a/src/machine/machined-dbus.c
+++ b/src/machine/machined-dbus.c
@@ -948,7 +948,7 @@ const sd_bus_vtable manager_vtable[] = {
                                 SD_BUS_ARGS("s", name),
                                 SD_BUS_RESULT("h", pty, "s", pty_path),
                                 method_open_machine_pty,
-                                0),
+                                SD_BUS_VTABLE_UNPRIVILEGED),
         SD_BUS_METHOD_WITH_ARGS("OpenMachineLogin",
                                 SD_BUS_ARGS("s", name),
                                 SD_BUS_RESULT("h", pty, "s", pty_path),

diff --git a/src/machine/org.freedesktop.machine1.conf b/src/machine/org.freedesktop.machine1.conf
index bafc1affdb220907e0e577559c3bc2c9db7808ec..c3c8149f9ab6cb57258c30da11781da10a2a5138 100644 (file)
--- a/src/machine/org.freedesktop.machine1.conf
+++ b/src/machine/org.freedesktop.machine1.conf
@@ -72,6 +72,10 @@
                        send_interface="org.freedesktop.machine1.Manager"
                        send_member="OpenMachineLogin"/>
 
+                <allow send_destination="org.freedesktop.machine1"
+                       send_interface="org.freedesktop.machine1.Manager"
+                       send_member="OpenMachinePTY"/>
+
                 <allow send_destination="org.freedesktop.machine1"
                        send_interface="org.freedesktop.machine1.Manager"
                        send_member="OpenMachineShell"/>
@@ -176,6 +180,10 @@
                        send_interface="org.freedesktop.machine1.Machine"
                        send_member="OpenLogin"/>
 
+                <allow send_destination="org.freedesktop.machine1"
+                       send_interface="org.freedesktop.machine1.Machine"
+                       send_member="OpenPTY"/>
+
                 <allow send_destination="org.freedesktop.machine1"
                        send_interface="org.freedesktop.machine1.Machine"
                        send_member="OpenShell"/>