I am using ubuntu 18.4, bluez 5.58. The bluetooth module is executed with 'root' privilege.
During power up of embedded device(using cypress BLE module), the advertising fails with error : "qt.bluetooth.bluez received advertising error". This issue happens intermittently.
I tried to restart the bluetooth module - /etc/init.d/bluetooth restart and call the advertise interface again. But the issue still happens.
<policy user="root">
<allow own="org.bluez"/>
<allow send_destination="org.bluez"/>
<allow send_interface="org.bluez.Agent1"/>
<allow send_interface="org.bluez.MediaEndpoint1"/>
<allow send_interface="org.bluez.MediaPlayer1"/>
<allow send_interface="org.bluez.Profile1"/>
<allow send_interface="org.bluez.GattCharacteristic1"/>
<allow send_interface="org.bluez.GattDescriptor1"/>
<allow send_interface="org.bluez.LEAdvertisement1"/>
<allow send_interface="org.freedesktop.DBus.ObjectManager"/>
<allow send_interface="org.freedesktop.DBus.Properties"/>
</policy>
Does anybody know how to resolve this ? or Is there any retry mechanism to be implemented ?
Thank you.
Related
I have got an app service with 3 virtual paths shown below.
Virtual path Physical path Type
/ site\wwwroot Application
/app2 site\wwwroot\app2 Application
/app3 site\wwwroot\app3 Application
How can I use web.config to control access to my site using Azure Security Groups? I've got 3 security groups and I want to allow access as below.
Allow sg1 to have access to my root /.
Allow sg2 to to have access to my root & /app2.
Allow sg3 to to have access to my root & /app3.
In my on-prem IIS box i was able to do something like below to control access.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<customErrors mode="Off"/>
<authentication mode="Windows"/>
<authorization>
<allow roles="GLOBAL\sg1"/>
<deny users="*"/>
</authorization>
</system.web>
<location path="app2">
<system.web>
<authorization>
<allow roles="Global\sg1"/>
<allow roles="Global\sg2"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="app3">
<system.web>
<authorization>
<allow roles="Global\sg1"/>
<allow roles="Global\sg3"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Can I replicate this in Azure app services?
I tried a simple base case, as per below. I can go to my / fine as it has no restrictions but I get the error The page cannot be displayed because an internal server error has occurred., when browsing to /app2
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<location path="app2">
<system.web>
<customErrors mode="Off"/>
<authentication mode="Windows"/>
<authorization>
<allow roles="GLOBAL\sg1"/>
<allow roles="GLOBAL\sg2"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Please help :(
Can I replicate this in Azure app services?
No, you cannot since what you describe is Active Directory behavior. App Services do not integrate with AD.
Next best thing would be Azure AD authentication, but this will require code changes and look quite different in the end: https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad
I am trying to set up bluez-5.50 with ofono-1.18 and pulseaudio-12.0 in order to handle phone calls over Bluetooth. However, I'm getting the following problem over dbus-monitor.
error time=1539324786.794398 sender=org.freedesktop.DBus -> destination=:1.28 error_name=org.freedesktop.DBus.Error.AccessDenied reply_serial=23
string "Rejected send message, 1 matched rules; type="method_return", sender=":1.28" (uid=0 pid=22288 comm="pulseaudio --realtime ") interface="(unset)" member="(unset)" error name="(unset)" requested_reply="0" destination=":1.25" (uid=0 pid=22285 comm="/usr/sbin/ofonod -d -n ")"
My /etc/dbus-1/system.conf is as follows:
<policy user="root">
<allow own="org.pulseaudio"/>
<allow own="org.pulseaudio.Server"/>
<allow own="org.ofono"/>
<allow send_destination="org.ofono"/>
<allow send_interface="org.ofono.SimToolkitAgent"/>
<allow send_interface="org.ofono.PushNotificationAgent"/>
<allow send_interface="org.ofono.SmartMessagingAgent"/>
<allow send_interface="org.ofono.PositioningRequestAgent"/>
<allow send_interface="org.ofono.HandsfreeAudioAgent"/>
<allow own="org.bluez"/>
<allow send_destination="org.bluez"/>
<allow send_interface="org.bluez.Agent1"/>
<allow send_interface="org.bluez.MediaEndpoint1"/>
<allow send_interface="org.bluez.MediaPlayer1"/>
<allow send_interface="org.bluez.ThermometerWatcher1"/>
<allow send_interface="org.bluez.AlertAgent1"/>
<allow send_interface="org.bluez.Profile1"/>
<allow send_interface="org.bluez.HeartRateWatcher1"/>
<allow send_interface="org.bluez.CyclingSpeedWatcher1"/>
<allow send_interface="org.bluez.GattCharacteristic1"/>
<allow send_interface="org.bluez.GattDescriptor1"/>
<allow send_interface="org.freedesktop.DBus.ObjectManager"/>
<allow send_interface="org.freedesktop.DBus.Properties"/>
</policy>
To my understanding, pulseaudio and ofono can not communicate, although I get sound output from ofono to pulseaudio. Another reason might be that pulseaudio is started with pulseaudio --start, but other daemons are started with systemd services.
After a while, ofono disconnects, even Bluetooth disconnects. I suspect this dbus error might be the cause of that. Any guidance is appreciated.
Make sure ofono is installed
sudo apt-get install ofono
Make sure pulse users is created and it is part of bluetooth group
Grant the permission add this to /etc/dbus-1/system.d/ofono.conf (inside <busconfig></busconfig>):
<policy user="pulse">
<allow send_destination="org.ofono"/>
</policy>
Linux BLE Gatt server program is unable to retrieve dbus org.bluez object when run as a service. The programs works fine when I run the program using the terminal as root but it fails when I try to have the program run as a service.
Here is my systemd testproj.service file
[Unit]
Description=Start BLE Gatt Server
[Service]
Type=dbus
BusName=com.testproj
WorkingDirectory=/home/root/ble_gatt_server
ExecStart=/home/root/ble_gatt_server/standalone
User=root
[Install]
WantedBy=multi-user.target
Also here are my permission files for dbus
testproj.conf content is below
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy user="root">
<allow own="com.testproj"/>
<allow send_destination="com.testproj"/>
<allow send_destination="org.bluez"/>
</policy>
<policy at_console="true">
<allow own="com.testproj"/>
<allow send_destination="com.testproj"/>
<allow send_destination="org.bluez"/>
</policy>
<policy group="lp">
<allow own="com.testproj"/>
<allow send_destination="com.testproj"/>
<allow send_destination="org.bluez"/>
</policy>
<policy context="default">
<allow own="com.testproj"/>
<allow send_destination="com.testproj"/>
<allow send_destination="org.bluez"/>
</policy>
</busconfig>
Also here are my permission files for dbus
bluetooth.conf content is below
<!-- This configuration file specifies the required security policies
for Bluetooth core daemon to work. -->
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<!-- ../system.conf have denied everything, so we just punch some holes -->
<policy user="root">
<allow own="org.bluez"/>
<allow send_destination="org.bluez"/>
<allow send_interface="org.bluez.Agent1"/>
<allow send_interface="org.bluez.MediaEndpoint1"/>
<allow send_interface="org.bluez.MediaPlayer1"/>
<allow send_interface="org.bluez.ThermometerWatcher1"/>
<allow send_interface="org.bluez.AlertAgent1"/>
<allow send_interface="org.bluez.Profile1"/>
<allow send_interface="org.bluez.HeartRateWatcher1"/>
<allow send_interface="org.bluez.CyclingSpeedWatcher1"/>
<allow send_interface="org.bluez.GattCharacteristic1"/>
<allow send_interface="org.bluez.GattDescriptor1"/>
<allow send_interface="org.freedesktop.DBus.ObjectManager"/>
<allow send_interface="org.freedesktop.DBus.Properties"/>
</policy>
<policy at_console="true">
<allow send_destination="org.bluez"/>
</policy>
<!-- allow users of lp group (printing subsystem) to
communicate with bluetoothd -->
<policy group="lp">
<allow send_destination="org.bluez"/>
</policy>
<policy context="default">
<deny send_destination="org.bluez"/>
</policy>
</busconfig>
I've tried to call the method GetSettings of the D-Bus object org.freedesktop.NetworkManager.Settings.Connection by the path /org/freedesktop/NetworkManager/Settings/2 (the number of settings just for example) in the Qt application. So when I tried to run this application as user with
$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),27(sudo),30(dip),
46(plugdev),113(lpadmin),129(sambashare)
it worked fine without errors, but when I'd started the application as lightdm greeter (lightdm user starts process) it logged the error:
org.freedesktop.NetworkManager.Settings.PermissionDenied uid 108 has no permission
to perform this operation
I've tried to make it with org.freedesktop.NetworkManager.conf below:
<!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy user="root">
<allow own="org.freedesktop.NetworkManager"/>
<allow send_destination="org.freedesktop.NetworkManager"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.PPP"/>
<allow send_interface="org.freedesktop.NetworkManager.SecretAgent"/>
<!-- These are there because some broken policies do
<deny send_interface="..." /> (see dbus-daemon(8) for details).
This seems to override that for the known VPN plugins.
-->
<allow send_destination="org.freedesktop.NetworkManager.openconnect"/>
<allow send_destination="org.freedesktop.NetworkManager.openswan"/>
<allow send_destination="org.freedesktop.NetworkManager.openvpn"/>
<allow send_destination="org.freedesktop.NetworkManager.pptp"/>
<allow send_destination="org.freedesktop.NetworkManager.vpnc"/>
<allow send_destination="org.freedesktop.NetworkManager.ssh"/>
<allow send_destination="org.freedesktop.NetworkManager.iodine"/>
<allow send_destination="org.freedesktop.NetworkManager.l2tp"/>
<allow send_destination="org.freedesktop.NetworkManager.libreswan"/>
<allow send_destination="org.freedesktop.NetworkManager.fortisslvpn"/>
<allow send_destination="org.freedesktop.NetworkManager.strongswan"/>
<allow send_interface="org.freedesktop.NetworkManager.VPN.Plugin"/>
<!-- Allow the custom name for the dnsmasq instance spawned by NM
from the dns dnsmasq plugin to own it's dbus name, and for
messages to be sent to it.
-->
<allow own="org.freedesktop.NetworkManager.dnsmasq"/>
<allow send_destination="org.freedesktop.NetworkManager.dnsmasq"/>
</policy>
<policy user="whoopsie">
<allow send_destination="org.freedesktop.NetworkManager"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.DBus.Introspectable"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.DBus.Properties"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Connection.Active"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device"/>
</policy>
<policy context="default">
<deny own="org.freedesktop.NetworkManager"/>
<deny send_destination="org.freedesktop.NetworkManager"/>
<!-- Basic D-Bus API stuff -->
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.DBus.Introspectable"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.DBus.Properties"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.DBus.ObjectManager"/>
<!-- Devices (read-only properties, no methods) -->
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Adsl"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Bond"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Bridge"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Bluetooth"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Wired"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Generic"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Gre"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Infiniband"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Macvlan"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Modem"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.OlpcMesh"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Team"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Tun"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Veth"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Vlan"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.WiMax.Nsp"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.AccessPoint"/>
<!-- Devices (read-only, no security required) -->
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.WiMax"/>
<!-- Devices (read/write, secured with PolicyKit) -->
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Wireless"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device"/>
<!-- Core stuff (read-only properties, no methods) -->
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Connection.Active"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.DHCP4Config"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.DHCP6Config"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.IP4Config"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.IP6Config"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.VPN.Connection"/>
<!-- Core stuff (read/write, secured with PolicyKit) -->
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Settings"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Settings.Connection"/>
<!-- Agents; secured with PolicyKit. Any process can talk to
the AgentManager API, but only NetworkManager can talk
to the agents themselves. -->
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.AgentManager"/>
<!-- Root-only functions -->
<deny send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager"
send_member="SetLogging"/>
<deny send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager"
send_member="Sleep"/>
<deny send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Settings"
send_member="LoadConnections"/>
<deny send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Settings"
send_member="ReloadConnections"/>
<deny own="org.freedesktop.NetworkManager.dnsmasq"/>
<deny send_destination="org.freedesktop.NetworkManager.dnsmasq"/>
</policy>
<limit name="max_replies_per_connection">1024</limit>
<limit name="max_match_rules_per_connection">2048</limit>
</busconfig>
Could you help me make it work?
Thanks.
I want to secure the application pages in SharePoint 2013 with Claims authentication, it does not seem to be working.
<configuration>
<location path="_layouts/15/settings">
<system.web>
<authorization>
<allow users="demo\user1"/>
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
however it works on Windows based authentication.
Update: 21-May-15:
I have fixed this
<configuration>
<location path="_layouts/15/settings">
<system.web>
<authorization>
<allow users="0#.w|demo\user1"/>
<deny users="*" />
</authorization>
</system.web>
</location>
however It is not authorizing the AD group, have tried as mentioned below.
<allow users="c:0+.w|demo\group1"/>
<allow roles="c:0+.w|demo\group1"/>
<allow users="0+.w|demo\group1"/>
<allow roles="0+.w|demo\group1"/>
<allow users="demo\group1"/>
<allow roles="demo\group1"/>
<allow users="c:0+.w|sid"/>
<allow roles="c:0+.w|sid"/>
<allow users="0+.w|sid"/>
<allow roles="0+.w|sid"/>
<allow users="sid"/>
<allow roles="sid"/>
How do I authorize both the individual user and AD groups?
update : 22-May-2015
<location path="_layouts/15/viewlsts.aspx">
<system.web>
<authorization>
<allow users="Group1" />
<allow users="Domain\Group1" />
<allow users="0#.w|Domain\Group1" />
<allow users="c:0+.w|Domain\Group1" />
<allow users="s-1-5-21-1971354296-1767978563-xxxxxxx-yyyyyy" />
<allow users="0+.w|s-1-5-21-1971354296-1767978563-xxxxxxx-yyyyyy" />
<allow users="c:0+.w|s-1-5-21-1971354296-1767978563-xxxxxxx-yyyyyy" />
<allow roles="Group1" />
<allow roles="Domain\Group1" />
<allow roles="0#.w|Domain\Group1" />
<allow roles="c:0+.w|Domain\Group1" />
<allow roles="s-1-5-21-1971354296-1767978563-xxxxxxx-yyyyyy" />
<allow roles="0+.w|s-1-5-21-1971354296-1767978563-xxxxxxx-yyyyyy" />
<allow roles="c:0+.w|s-1-5-21-1971354296-1767978563-xxxxxxx-yyyyyy" />
<deny users="*" />
</authorization>
</system.web>
</location>
Still it is not working.
The prefix is different for groups.
Have you tried ?
<allow users="c:0+.w|demo\group1"/>
If it works, you can then authorize groups and users like this
<allow users="c:0+.w|demo\group1,0#.w|demo\user1"/>