Hello,
Currently when I start my epson scanner with iscan (image scan for unix) I receive an authentication windows with ident “org.freedesktop.systemd1.manage-units” and polkit.subject-pid = iscan pid.
The reason is that the program tries to find a scanner and use avahi-daemon.service therefor. This service is not started at boot.
the avahi-daemon.socket is started
hpprol2:~ # systemctl status avahi-daemon.socket
● avahi-daemon.socket - Avahi mDNS/DNS-SD Stack Activation Socket
Loaded: loaded (/usr/lib/systemd/system/avahi-daemon.socket; enabled; vendor preset: disabled)
Active: active (running) since Sun 2022-04-03 09:02:14 CEST; 2h 3min ago
Until: Sun 2022-04-03 09:02:14 CEST; 2h 3min ago
Triggers: ● avahi-daemon.service
Listen: /run/avahi-daemon/socket (Stream)
CGroup: /system.slice/avahi-daemon.socket
Apr 03 09:02:14 hpprol2 systemd[1]: Listening on Avahi mDNS/DNS-SD Stack Activation Socket.
I want allowing a normal user to start avahi-deamon.service without root authentication.
It seems that a polkit rule can do the job.
It is the first time that I try to work with polkit.
I found in this document polkit - ArchWiki an example to allow management of individual systemd by regular user for wpa_supplicant
So I created /etc/polkit-1/rules.d/11-avahidaemon.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units") {
polkit.log("action=" + action)
polkit.log("subject=" + subject)
polkit.log("unit="+action.lookup("unit"))
if (action.lookup("unit") == "avahi-daemon.service") {
polkit.log("verb="+action.lookup("verb"))
var verb = action.lookup("verb");
if (verb == "start" || verb == "stop" || verb == "restart") {
return polkit.Result.YES;
}
}
}
});
But after a restart of polkit and even after a reboot the authentication is still asked.
Journalctl shows before authentication
Apr 03 10:58:22 hpprol2 systemd[23276]: Started Image Scan! for Linux.
Apr 03 10:58:22 hpprol2 iscan[15682]: io/hpmud/model.c 532: no hp_HP_LaserJet_200_color_M251n attributes found in /usr/share/hplip/data/models/models.dat
Apr 03 10:58:22 hpprol2 iscan[15682]: io/hpmud/model.c 543: no hp_HP_LaserJet_200_color_M251n attributes found in /usr/share/hplip/data/models/unreleased/unreleased.dat
Apr 03 10:58:22 hpprol2 dbus-daemon[728]: [system] Activating via systemd: service name='org.freedesktop.Avahi' unit='dbus-org.freedesktop.Avahi.service' requested by ':1.2569' (uid=1000 pid=15682 comm="/usr/bin/iscan")
Apr 03 10:58:22 hpprol2 dbus-daemon[728]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit dbus-org.freedesktop.Avahi.service not found.
after cancelling the authentication
Apr 03 10:58:51 hpprol2 polkitd[15400]: Operator of unix-session:16 FAILED to authenticate to gain authorization for action org.freedesktop.systemd1.manage-units for system-bus-name::1.2576 [/usr/bin/iscan] (owned by unix-user:philippe)
Apr 03 10:58:51 hpprol2 iscan[16079]: protocol/discovery/avahiDiscovery.c 472: Failed to create client object: Daemon not running
after succesfull authentication
Apr 03 11:00:42 hpprol2 polkitd[756]: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.freedesktop.systemd1.manage-units for system-bus-name::1.2584 [/usr/bin/iscan] (owned by unix-user:philippe)
Apr 03 11:00:43 hpprol2 dbus-daemon[748]: [system] Activating via systemd: service name='org.freedesktop.Avahi' unit='dbus-org.freedesktop.Avahi.service' requested by ':1.2588' (uid=1000 pid=7285 comm="/usr/bin/iscan")
A
Apr 03 11:00:43 hpprol2 avahi-daemon[7297]: Found user 'avahi' (UID 488) and group 'avahi' (GID 474).
Apr 03 11:00:43 hpprol2 avahi-daemon[7297]: Successfully dropped root privileges.
Apr 03 11:00:43 hpprol2 avahi-daemon[7297]: avahi-daemon 0.8 starting up.
Apr 03 11:00:43 hpprol2 systemd[1]: Started Avahi mDNS/DNS-SD Stack.
Apr 03 11:00:43 hpprol2 avahi-daemon[7297]: No service file found in /etc/avahi/services.
Apr 03 11:00:43 hpprol2 avahi-daemon[7297]: Joining mDNS multicast group on interface vlan3.IPv4 with address 192.168.3.1.
Apr 03 11:00:43 hpprol2 avahi-daemon[7297]: New relevant interface vlan3.IPv4 for mDNS.
Apr 03 11:00:43 hpprol2 avahi-daemon[7297]: Joining mDNS multicast group on interface vlan2.IPv4 with address 192.168.2.1.
Apr 03 11:00:43 hpprol2 avahi-daemon[7297]: New relevant interface vlan2.IPv4 for mDNS.
Apr 03 11:00:43 hpprol2 avahi-daemon[7297]: Joining mDNS multicast group on interface vlan1.IPv4 with address 192.168.1.1.
Apr 03 11:00:43 hpprol2 avahi-daemon[7297]: New relevant interface vlan1.IPv4 for mDNS.
Apr 03 11:00:43 hpprol2 avahi-daemon[7297]: Joining mDNS multicast group on interface vlan4.IPv4 with address 192.168.4.1.
Apr 03 11:00:43 hpprol2 avahi-daemon[7297]: New relevant interface vlan4.IPv4 for mDNS.
Apr 03 11:00:43 hpprol2 avahi-daemon[7297]: Joining mDNS multicast group on interface br0.IPv4 with address 192.168.1.120.
Apr 03 11:00:43 hpprol2 avahi-daemon[7297]: New relevant interface br0.IPv4 for mDNS.
Apr 03 11:00:43 hpprol2 avahi-daemon[7297]: Joining mDNS multicast group on interface lo.IPv4 with address 127.0.0.1.
Apr 03 11:00:43 hpprol2 avahi-daemon[7297]: New relevant interface lo.IPv4 for mDNS.
Apr 03 11:00:43 hpprol2 avahi-daemon[7297]: Network interface enumeration completed.
Apr 03 11:00:43 hpprol2 avahi-daemon[7297]: Registering new address record for 192.168.3.1 on vlan3.IPv4.
Apr 03 11:00:43 hpprol2 avahi-daemon[7297]: Registering new address record for 192.168.2.1 on vlan2.IPv4.
Apr 03 11:00:43 hpprol2 avahi-daemon[7297]: Registering new address record for 192.168.1.1 on vlan1.IPv4.
Apr 03 11:00:43 hpprol2 avahi-daemon[7297]: Registering new address record for 192.168.4.1 on vlan4.IPv4.
Apr 03 11:00:43 hpprol2 avahi-daemon[7297]: Registering new address record for 192.168.1.120 on br0.IPv4.
Apr 03 11:00:43 hpprol2 avahi-daemon[7297]: Registering new address record for 127.0.0.1 on lo.IPv4.
Apr 03 11:00:44 hpprol2 avahi-daemon[7297]: Server startup complete. Host name is hpprol2.local. Local service cookie is 1374376549.
First remark I don’t see the lines from polkit.log: Does this mean that this code is not executed or recognized?
I see in then man that for action.lookup(string key)
The lookup() method is used to lookup the polkit variables passed from the mechanism. For example, the pkexec(1) mechanism sets the variable program which can be obtained in JavaScript using the expression action.lookup(“program”). If there is no value for the given key, then undefined is returned.
Consult the documentation for each mechanism for what variables are available for each action.
where can I find this documentation?
in the avahi-daemon.service I see an alias
....
[Install]
WantedBy=multi-user.target
Also=avahi-daemon.socket
Alias=dbus-org.freedesktop.Avahi.service
Is there something special to do when an alias is present? This alias seems to be used by iscan.
Many thanks in adavance
Philippe