search

OpenSCAP / openscap-daemon

Manages continuous scans of your infrastructure
https://www.open-scap.org/tools/openscap-daemon
GNU Lesser General Public License v2.1
106 stars 32 forks source link

oscapd-cli traceback when run with non-root privileges #86

Closed jan-cerny closed 8 years ago

jan-cerny commented 8 years ago

oscapd-cli eval needs to be run as root. When run as normal user it produces a traceback. I suggest to display a message instead. For example: "This command needs to be run as root."

Traceback:

$ oscapd-cli eval
ERROR:dbus.proxies:Introspect error on :1.115:/OpenSCAP/daemon: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 3 matched rules; type="method_call", sender=":1.124" (uid=1000 pid=5269 comm="/bin/python3 /usr/bin/oscapd-cli eval ") interface="org.freedesktop.DBus.Introspectable" member="Introspect" error name="(unset)" requested_reply="0" destination=":1.115" (uid=0 pid=4904 comm="/bin/python3 /usr/bin/oscapd ")
Traceback (most recent call last):
  File "/usr/bin/oscapd-cli", line 787, in <module>
    main()
  File "/usr/bin/oscapd-cli", line 752, in main
    dbus_iface.GetVersion()
  File "/usr/lib64/python3.4/site-packages/dbus/proxies.py", line 70, in __call__
    return self._proxy_method(*args, **keywords)
  File "/usr/lib64/python3.4/site-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib64/python3.4/site-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 matched rules; type="method_call", sender=":1.124" (uid=1000 pid=5269 comm="/bin/python3 /usr/bin/oscapd-cli eval ") interface="org.OpenSCAP.daemon.Interface" member="GetVersion" error name="(unset)" requested_reply="0" destination=":1.115" (uid=0 pid=4904 comm="/bin/python3 /usr/bin/oscapd ")

I am using deamon 0.1.6 on Fedora 23 with Python3, from git with head 21e884e33169660d27bcb7930cc486bbdf3b1932

mpreisler commented 8 years ago

Displaying "This needs to be run as root." is not the right thing IMO. Running openscap-daemon as a different user may be perfectly fine, depending on dbus policy. Let's catch the exception and wrap it in something user friendly. Personally I like tracebacks being included in errors, when users report issues it makes it much easier to fix them. Perhaps I am missing something here.

jan-cerny commented 8 years ago

Yes, catching the exception and displaying user-friendly message is the solution that I expected. Just the text of the message should be something like "Permission denied on accessing dbus". Thanks for the clarification.

jan-cerny commented 8 years ago

Fixed in https://github.com/OpenSCAP/openscap-daemon/pull/89