0

I am creating a systemd service that sends a desktop notification via org.freedesktop.Notifications dbus target whenever a high priority event is logged. To do so, I run journalctl as root and process the output all within a Rust program (journalctl is called as a child from within the program), which can be approximated as follows:

sudo journalctl -focat -p3 -Snow | xargs -I{} -d '\n' notify-send {}

I need to run journalctl with root privileges in order to have access to all of the logs, but when I make it a systemd service, it no longer works (also does not work when running with sudo in the terminal). My (abbreviated) .service file for it looks like this:

[Unit]
Requires=dbus.service

[Service]
WorkingDirectory=~
ExecStart=/usr/bin/auditnotify
Restart=always
PrivateTmp=true
NoNewPrivileges=true


[Install]
Alias=auditnotify
WantedBy=default.target

After inspecting the service with strace, I found out that what appears to be happening is that the zbus dependency of the notification crate I am using, notify-rust, is getting the UID and then trying to get the session bus using that. However, since it's running as root, it gets 0 for its UID and fails to send the notification.

strace output snippet:

geteuid()                               = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_UNIX, sun_path="/run/user/0/bus"}, 18) = -1 ENOENT (No such file or directory)
close(3)                                = 0

This hypothesis was confirmed when I added User=gfaster and Group=gfaster to the .service file, and notifications started working. However, as I mentioned earlier, this does not work since I need root access to the journal.

Is there any way of fixing this? Is it possible to run this service as part of the user session but with root privileges? Would I just have to make a second service that interfaces with the log, and if so, what does that configuration look like?

gfaster
  • 27
  • While my answer here was specific to crontab, you should be able to use the environment entries in a systemd service: https://unix.stackexchange.com/questions/560724/unable-to-send-notifications-from-cron-job/560732#560732 – ajgringo619 Jan 23 '23 at 01:11
  • hove you tried setting uid of user gfaster to 0 ? vi /etc/passwd gfaster:0:0 – Hoodad Tabibi Jan 23 '23 at 12:33
  • 1
    I don't think setting my user account to UID 0 is a good idea because that's already used by root on Linux systems. – gfaster Jan 23 '23 at 23:48
  • @ajgringo619 I tried that and it seems like messages started being rejected due to authentication failure, https://unix.stackexchange.com/q/194308/545231 – gfaster Jan 24 '23 at 02:27
  • What happens if you open a root terminal, add the variables in my post, then run your command manually? Obviously you changed /home/me to /home/gfaster, correct? – ajgringo619 Jan 24 '23 at 02:40
  • I did change it properly. Running sudo -E ./auditnotify after putting in all the variables still produces the broken pipe error. – gfaster Jan 24 '23 at 03:19
  • As a test, disable access control with xhost + as your user, then try again. I just tested a simple zenity command and it worked. – ajgringo619 Jan 24 '23 at 05:22
  • 1
    You could give your user access to the journalctl logs. – Stewart Jan 24 '23 at 20:18

0 Answers0